Article ID: 280768
Article Last Modified on 9/27/2004
APPLIES TO
- Microsoft Internet Explorer 4.0 128-Bit Edition, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 4.01 Service Pack 2, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 4.01 Service Pack 1, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 4.01 Service Pack 2, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 5.0, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 5.01, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer (Programming) 5.01 SP1, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 5.5, when used with:
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows NT 4.0
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Standard Edition
- Microsoft Windows 98 Second Edition
This article was previously published under Q280768
SUMMARY
Microsoft has released an update to Internet Explorer that addresses a potential security issue in which a malicious Web site operator could use the GetObject function to read the files on your hard disk and upload them to the Web site.
On March 6, 2001 Microsoft released information regarding a new variant of this vulnerability. For information on the variant and where to download the patch, see the following Microsoft Web site:
MORE INFORMATION
When a script tries to use GetObject to initiate an ActiveX object, it should:
- Determine whether the object is safe to create, based solely on its type.
- Determine whether the object is safe to run after it is created.
- Determine whether it is safe to load potentially untrusted content into the object after the object is run.
- Determine whether the data path to that content is legally accessible from the current page (in other words, it is not breaking cross-domain security) after it loads untrusted content.
However, Internet Explorer fails to check if the data is breaking cross-domain security.
If you are using Internet Explorer 5.01 and have a Jscript.dll version earlier than 5.1.0.5907, or if you are using Internet Explorer 5.5 and have a Jscript.dll earlier than version 5.5.0.5824, you must apply this patch.
For more information about this issue and to download the patch, see the following Microsoft Security Bulletin:
REFERENCES
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
251108 Update Available for the "Frame Domain Verification" Issue
Additional query words: windows scripting host WSH
Keywords: kbinfo kbscript kbdhtml KB280768
