PSS ID Number: 244540
Article Last Modified on 12/5/2003
The information in this article applies to:
- Microsoft Internet Explorer 5.0 for Windows NT 4.0
- Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 2
- Microsoft Internet Explorer 5.0 for Windows 98
- Microsoft Internet Explorer 4.01 for Windows 98 SP 2
- Microsoft Internet Explorer 5.0 for Windows 95
- Microsoft Internet Explorer 4.01 for Windows 95 SP 2
- the operating system: Microsoft Windows 98 Second Edition
This article was previously published under Q244540
SUMMARY
Microsoft has released an update that eliminates a vulnerability that could permit a malicious user to embed an unsafe executable (.exe) file within an e-mail message and disguise it as a safe type of attachment. Through a complicated series of steps, the unsafe executable could be made to execute under certain conditions, if the user opens the attachment.
Additional information about this issue is available from the following Microsoft Web sites:
Updates are available for the following products:
- Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 95
- Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 98
- Microsoft Internet Explorer 4.01 Service Pack 2 for Windows NT 4.0 (Alphas and X86)
- Microsoft Internet Explorer 5 for Windows 95
- Microsoft Internet Explorer 5 for Windows 98
- Microsoft Internet Explorer 5 for Windows NT 4.0 (Alpha and x86)
- Microsoft Windows 98 Second Edition
Microsoft Internet Explorer 4.x and 5 for Windows 3.1, Windows NT 3.51, UNIX on Sun Solaris, and Internet Explorer 4.x for Macintosh are not affected by this problem. Internet Explorer version 3.x for Windows 95 and Windows NT 4.0 are also not affected.
MORE INFORMATION
The Inseng.dll Active Setup Install Engine permits cabinet files to be launched and executed. A HyperText Markup Language (HTML) e-mail message could use this capability to launch a malicious cabinet file renamed as a normal file. If a user attempted to open this file, the operation would not work as a user would expect, but it could copy a file to an expected location without any notice to the user. The ActiveX control could then be used by a script embedded in the e-mail to start the copied file, causing the malicious code to be run.
The vulnerability could only be exploited in cases where an e-mail program is used that permits scripts in HTML e-mail and stores temporary copies of previously run programs in known locations (for example, Microsoft Outlook or Outlook Express).
This patch restricts the ability of the control to start unsigned cabinet files that have been downloaded from the local computer.
After installing this update, "Q244540" is added to the "Update versions" line when you click About Internet Explorer on the Help menu.
This patch is available from the following Microsoft Web site:
Internet Explorer 5 File name Size Date Version Platform ----------------------------------------------------------- Inseng.dll 76,048 10/26/1999 5.00.2722.2600 x86 Inseng.dll 144,144 10/26/1999 5.00.2722.2600 Alpha Internet Explorer 4.01 SP2 File name Size Date Version Platform ----------------------------------------------------------- Inseng.dll 59,568 10/26/1999 4.72.3710.2600 x86 Inseng.dll 110,864 10/26/1999 4.72.3710.2600 Alpha
NOTE: Microsoft Internet Explorer 4.0, 4.01, 4.01 Service Pack 1 for Windows 95 and Windows NT 4.0, and Microsoft Windows 98 are also vulnerable to this problem, but running the patch on a version of Internet Explorer prior to 4.01 SP2 will result in the same message that results from running the patch on an unaffected system (for example, Internet Explorer 3.02 for Windows 95 or Windows NT 4.0):
Patches are only available for Internet Explorer 4.01 SP2 and later. Microsoft recommends that users update to Internet Explorer 4.01 SP2 or 5 and then install this patch.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
164539 Determining Which Version of Internet Explorer You Are Using
NOTE: To work around this vulnerability if you cannot install this patch, disable Active Scripting in your e-mail program. To do this in Microsoft Outlook or Outlook Express, please see the appropriate Microsoft Knowledge Base article:
192846 How to Disable Active Scripting in Outlook Express
215774 OL2000: Scripts Embedded in HTML Messages Run without Warning
Additional query words: asctrls.ocx
Keywords: kbenv kbinfo kbQFE KB244540
Technology: kbIE401Win95 kbIE401Win98 kbIE401Win98SP2 kbIE401WinNT400 kbIE401WinNT400SP2 kbIE500Search kbIE500Win95 kbIE500Win98 kbIE500WinNT400 kbIE95Search kbIE98Search kbIENT400Search kbIEsearch kbOSWin98SE kbOSWinSearch