SYMPTOMS

A cross-site scripting vulnerability exists in Internet Explorer that can lead to an increase in permissions. An attacker who successfully exploits this vulnerability can cause HTML scripts to run as if they were run locally on the user's computer. This permits the scripts to run outside the security constraints that are typically imposed on them. Therefore, the scripts can take any action on the local computer that the user can take. Specifically, the script can add, change, or delete any data, or change any security settings that the user can change.

An attacker can try to exploit this vulnerability by crafting a malicious Web page with a specially formed URL link. The attacker can then either post the page on a Web site, or send it as an HTML e-mail message. The vulnerability is then exploited when the user views the malicious Web page, or opens or displays the e-mail message in a preview pane.

Any restrictions on the user's ability to take actions on the local computer also limit the actions that an attacker's script can take. For example, if a user lacks permissions to delete data or to change security settings in Internet Explorer, the script is also blocked from those actions. Also, customers who read mail in the Restricted Sites zone are immune from attempts to exploit this vulnerability by HTML e-mail messages. By default, Microsoft Outlook Express 6, Microsoft Outlook 98, Microsoft Outlook 2000 with the Outlook E-Mail Security Update, and Microsoft Outlook 2002 all read mail in the Restricted Sites zone. Customers who use Outlook 2002 Service Pack 1 (SP1) who have turned on the Read as Plain Text feature are also immune from the HTML e-mail attack. This is because this feature turns off all HTML elements, including scripting, in mail. For additional information about this feature, click the article number below to view the article in the Microsoft Knowledge Base: