Microsoft KB Archive/319847

= MS02-009 May Cause Incompatibility Problems Between VBScript and Third-Party Applications =

Article ID: 319847

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0

-



This article was previously published under Q319847



SUMMARY
After the release of the Microsoft Security Bulletin MS02-009 patch on February 21, 2002, Microsoft became aware of a compatibility problem with several third-party applications that use an unforeseen behavior in Microsoft Visual Basic Scripting Edition (VBScript). This article explains the compatibility problem, as well as the changes that Microsoft made in the updated version of the MS02-009 patch.

For additional information about this patch and how to obtain it, click the article number below to view the article in the Microsoft Knowledge Base:

318089 MS02-009: Incorrect VBScript Handling in Internet Explorer Can Allow Web Pages to Read Local Files



MORE INFORMATION
VBScript can create an instance of Component Object Model (COM) objects that implement the IDispatch interface. Late-bound calls to functions on COM objects are made through a &quot;dispatch&quot; interface (that is, an interface that takes the name of a method at run time and then &quot;dispatches&quot; the call to the correct method).

Some COM objects implement more than one dispatch interface. Some languages (such as Visual Basic) can call an object on any dispatch interface. Some languages (such as JScript) can only call on the default dispatch interface. If you call the CreateObject method in VBScript, the default dispatch interface is returned, regardless how many secondary interfaces an object supports. However, VBScript does not check if the interface of an object that is returned by the call to a method or a property is the default interface.

Previous versions of Internet Explorer had a security problem in which they could sometimes return an insecure secondary interface to the VBScript engine, which could then use that object in an insecure manner. To fix this problem, Microsoft modified VBScript to always retrieve the default interface. Although this modification mitigated the security vulnerability, it introduced compatibility problems with some legitimate objects.

The updated version of MS02-009 narrows down this restriction to cover only the Internet Explorer objects that are potentially insecure. This patch now allows third-party objects to use non-default dispatch interfaces in VBScript.

For more information about this vulnerability, refer to the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms02-009.mspx

Keywords: kbinfo kbsecurity kbsecbulletin KB319847

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.