Microsoft KB Archive/290108

= Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment =

Article ID: 290108

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.01

-



This article was previously published under Q290108



SYMPTOMS
Because HTML e-mail messages are Web pages, Internet Explorer can render them and open binary attachments in a way that is appropriate to their MIME type. However, there is a flaw in the type of processing that is specified for certain unusual MIME types. If a malicious user creates an HTML e-mail message that contains an attachment that can be run and then modifies the MIME header information to specify that the attachment is one of the unusual MIME types that Internet Explorer handles incorrectly, Internet Explorer may run the attachment automatically when it renders the e-mail message.

A malicious user could use this vulnerability in either of two scenarios:
 * The malicious user could host an affected HTML e-mail message on a Web site and try to persuade other users to visit the site, at which point script on a Web page could open the mail and run the attachment.
 * The malicious user could send the HTML e-mail message directly to a user.

In either case, the attachment, if it ran, would be limited only by the user's permissions on the computer.

This vulnerability cannot be exploited if file downloads have been disabled in the security zone in which the e-mail message is rendered. However, this is not a default setting in any security zone.



RESOLUTION
You can install the patches that are listed below only on systems that run Internet Explorer 5.01 Service Pack 1 (SP1) or Internet Explorer 5.5 Service Pack 1 (SP1). This fix is already included in Internet Explorer 5.01 Service Pack 2. For additional information about Internet Explorer 5.01 Service Pack 2, click the article number below to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

NOTE: If you try to install one of the patches that are listed below on an unsupported version of Internet Explorer, you receive the following error message:

Microsoft Internet Explorer Update

This update does not need to be installed on this system.

The text of the error message is incorrect and does not necessarily mean that your version of Internet Explorer is unaffected by this problem. If you receive this error message when you try to install one of the patches, use the appropriate resolution for your version of Internet Explorer:  Internet Explorer versions 4.x through 5.01

Upgrade to either Internet Explorer 5.01 SP2 (which includes this fix) or Internet Explorer 5.5 SP1 and then install the patch for this version of Internet Explorer.For additional information about Internet Explorer 5.5 Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Internet Explorer 5.5 Service Pack

 Internet Explorer 5.5

Upgrade to Internet Explorer 5.5 SP1 and then install the patch for this version of Internet Explorer or upgrade to Internet Explorer 5.5 SP2 (which includes this fix). For additional information about the latest service pack for Internet Explorer 5.5, click the article number below to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.5 Service Pack

 Internet Explorer 5.5 Advanced Security Privacy Beta or Internet Explorer 6 Public Preview

Uninstall Internet Explorer 5.5 Advanced Security Privacy Beta or Internet Explorer 6 Public Preview and then apply the approproate patch or Internet Explorer upgrade as noted above.

For additional information about how to determine which version of Internet Explorer you are using, click the article number below to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

Patch for Internet Explorer 5.5
To resolve this problem, obtain the latest service pack for Internet Explorer version 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.5 Service Pack

For your convenience, the individual update is also available:

The following file is available for download from the Microsoft Download Center:

Download the individual patch now

-or-

Download the IE 5.5 Security Rollup now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this update should have the following file attributes or later:   Date        Time    Version         Size       File name --  02/20/2001  04:36p  5.50.4614.2000  1,147,152  Shdocvw.dll NOTE: Because of file dependencies, this update requires Internet Explorer 5.5 with Service Pack 1.

Patch for Internet Explorer 5.01
To resolve this problem, obtain the latest service pack for Internet Explorer version 5.01. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

For your convenience, the individual update is also available for downloading. The following file is available for download from the Microsoft Download Center:

Download the individual patch now

-or-

Download the IE 5.01 Security Rollup now

NOTE: If you have already installed Internet Explorer 5.01 Service Pack 2, you do not need to install this individual update.

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this update should have the following file attributes or later:   Date        Time    Version        Size       File name -  02/20/2001  02:52p  5.0.3214.2000  1,103,632  Shdocvw.dll NOTE: Because of file dependencies, this update requires Internet Explorer 5.01 with Service Pack 1.



Internet Explorer 5.5
Microsoft has confirmed that this is a problem in Internet Explorer 5.5. This problem was first corrected in Internet Explorer version 5.5 Service Pack 2.

Internet Explorer 5.01
Microsoft has confirmed that this is a problem in Internet Explorer 5.01. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.



MORE INFORMATION
For more information, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx

Additional query words: security_patch aliz w32 worm virus badtrans b@mm

Keywords: kbbug kbfix kbwin2000presp2fix kbqfe kbie550presp2fix kbie501presp2fix kbhotfixserver KB290108

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.