Article ID: 318089
Article Last Modified on 2/1/2007
APPLIES TO
- Microsoft Internet Explorer 5.5 Service Pack 1
- Microsoft Internet Explorer 5.5 Service Pack 2
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5 Service Pack 1
- Microsoft Internet Explorer 5.5 Service Pack 2
- Microsoft Internet Explorer 5.5 Service Pack 1
- Microsoft Internet Explorer 5.5 Service Pack 2
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5 Service Pack 1
- Microsoft Internet Explorer 5.5 Service Pack 2
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5 Service Pack 1
- Microsoft Internet Explorer 5.5 Service Pack 2
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
This article was previously published under Q318089
After the release of this patch on February 21, 2002, Microsoft became aware of some third-party programs that depend on behavior in VBScript that this patch disables. A minor change has been made to the security patch to fix this bug and to ensure backwards compatibility. A revised patch was released on March 13, 2002. If you experience problems with third-party programs after you apply the original version of this patch, download the revised patch. If you downloaded the original patch and are not experiencing difficulties, you do not need to take any action. As a result, the revised patch is not offered to you when you visit the Windows Update site.
If you experience problems with third-party programs after you apply the original release of this patch, download the revised patch. If you downloaded the original patch and are not experiencing difficulties, you do not need to take any action. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
319847 MS02-009 May Cause Incompatibility Problems Between VBScript and Third-Party Applications
SYMPTOMS
A vulnerability exists that could allow a malicious Web site operator to view files on the local computer of a visiting user. In addition, the vulnerability could allow a malicious Web site operator to collect information from a user's browsing session after the user had left the Web site. This information could then be passed back to the Web site, and could include personal information such as user names, passwords, or credit card information.
In both cases, the malicious user would have to entice the victim to visit a Web site that is under the malicious user's control. To read information from the user's local computer, the malicious Web site operator would have to know the exact name and location of the files on the user's computer. This vulnerability does not allow an attacker to add, change, or delete files on the user's computer.
CAUSE
This vulnerability occurs because of a flaw in the handling of scripts across domains within frames. The flaw allows scripts to violate Internet Explorer's cross-domain security model in a way that enables a Web site to read data in a frame that belongs to another domain.
RESOLUTION
To resolve this problem, install the latest service pack for Internet Explorer 6 or the February 14, 2002 Security Update from the following Microsoft Web site:
This update can also be download using the appropriate links below.
Internet Explorer 6
To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
328548 How to Obtain the Latest Internet Explorer 6 Service Pack
The following file is available for download from the Microsoft Download Center:
Internet Explorer 6 for Windows 2000 and Windows XP:
Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0:
Release Date: February 21, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
File Information for the Original Patch
The English version of the Internet Explorer 6 for Windows 2000 and Windows XP update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name -------------------------------------------------------------- 02-Jan-2002 13:08 5.6.0.7302 467,002 Vbscript.dll
The English version of the Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name -------------------------------------------------------------- 02-Jan-2002 13:08 5.6.0.7302 467,002 Vbscript.dll
File Information for Revised Patch
The English version of the Internet Explorer 6 for Windows 2000 and Windows XP update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name
--------------------------------------------------------------
26-Feb-2002 19:58 5.6.0.7426 462,906 Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
The English version of the Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name
-----------------------------------------------------------
26-Feb-2002 19:58 5.6.0.7426 462,906 Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
Internet Explorer 5.5
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Internet Explorer 5.5 service pack that contains this fix.
To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The following file is available for download from the Microsoft Download Center:
Internet Explorer 5.5 for Windows 2000:
Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0:
Release Date: February 21, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
File Information for the Original Patch
The English version of the Internet Explorer 5.5 for Windows 2000 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name -------------------------------------------------------------- 02-Jan-2002 17:01 5.5.0.7302 458,813 Vbscript.dll
The English version of the Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name -------------------------------------------------------------- 02-Jan-2002 17:01 5.5.0.7302 458,813 Vbscript.dll
File Information for the Revised Patch
The English version of the Internet Explorer 5.5 for Windows 2000 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name
-----------------------------------------------------------
28-Feb-2002 22:18 5.5.0.7426 450,621 Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
The English version of the Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name
-----------------------------------------------------------
28-Feb-2002 22:18 5.5.0.7426 450,621 Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
Internet Explorer 5.01
The following file is available for download from the Microsoft Download Center:
Internet Explorer 5.01 for Windows 2000:
![[GRAPHIC: Download]](/wiki/index.php?title=File:Download.gif){kind=small}
Download Vbs51nen.exe now
This update is also available in Internet Explorer 5.01 Service Pack 3 for Windows 2000. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack
Internet Explorer 5.01 for Windows 98 and Windows NT 4.0:
Release Date: February 21, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
File Information for the Original Patch
The English version of the Internet Explorer 5.01 for Windows 2000 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name -------------------------------------------------------------- 02-Jan-2002 17:00 5.1.0.7302 438,330 Vbscript.dll
The English version of the Internet Explorer 5.01 update for Windows 98 and Windows NT should have the following file attributes or later:
GMT-UTC Date Time Version Size File name -------------------------------------------------------------- 02-Jan-2002 17:00 5.1.0.7302 438,330 Vbscript.dll
File Information for the Revised Patch
The English version of the Internet Explorer 5.01 for Windows 2000 update should have the following file attributes or later:
GMT-UTC Date Time Version Size File name
-----------------------------------------------------------
26-Feb-2002 22:14 5.1.0.7426 438,330 Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
The English version of the Internet Explorer 5.01 update for Windows 98 and Windows NT should have the following file attributes or later:
GMT-UTC Date Time Version Size File name
-----------------------------------------------------------
26-Feb-2002 22:14 5.1.0.7426 438,330 Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
STATUS
Internet Explorer 6
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.
Internet Explorer 5.5
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.5.
Internet Explorer 5.01
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.01. This problem was first corrected in Internet Explorer 5.01 for Windows 2000 Service Pack 3.
MORE INFORMATION
The Vbscript.dll file is included with Internet Explorer and Microsoft Windows Script.
- Internet Explorer 6: Any customer who is running Internet Explorer 6, regardless of Windows version, has Windows Script 5.6 installed by default. Internet Explorer 6 includes Windows Script 5.6.
- Internet Explorer 5.5: Any customer who is running Internet Explorer 5.5, regardless of Windows version, has Windows Script 5.5 installed by default. Internet Explorer 5.5 includes Windows Script 5.5.
- Internet Explorer 5.01: Any customer who is running Internet Explorer 5.01, regardless Windows version, has Windows Script 5.1 installed by default.
Customers who have not upgraded their version of Internet Explorer to version 5.5 or 6 are likely to be running the following versions of Windows Script:
- Windows 2000: Windows Script 5.1
- Windows Me: Windows Script 5.5
You can verify the version of Microsoft Visual Basic Scripting Edition (VBScript) that you are running by checking the version of the Vbscript.dll file in the Windows\System32 folder. To do so, right-click the file, and then click Properties.
For more information about this vulnerability, visit the following Microsoft Web site:
Additional query words: security_patch
Keywords: kbbug kbfix kbie501presp3fix kbsecvulnerability kbqfe kbie600presp1fix kbwin2000sp3fix kbsecurity kbie600sp1fix kbie550presp3fix kbsecbulletin kbsechack KB318089
