Article ID: 810847
Article Last Modified on 2/1/2007
APPLIES TO
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.01
SUMMARY
Microsoft has released a cumulative patch for Internet Explorer. This patch includes updates for the issues that are described in the following Microsoft Knowledge Base articles:
324929 MS02-068: December, 2002, Cumulative Patch for Internet Explorer
328970 MS02-066: November, 2002, Cumulative Patch for Internet Explorer
323759 MS02-047: August 22, 2002, Cumulative Patch for Internet Explorer
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer
319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer
316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer
This cumulative patch also addresses the following two newly discovered vulnerabilities that involve Internet Explorer’s cross-domain security model. This security model prevents windows of different domains from sharing information.
- A flaw in Internet Explorer may permit a malicious Web site operator to access information in another Internet domain, or on the user’s local system, by injecting specially crafted code when certain dialog boxes were presented to the user. In the worst case, this vulnerability may permit an attacker to load a malicious executable onto the system and then run it.
The attacker has no way to force a user to a malicious Web site. By default, Microsoft Outlook Express 6.0 and Microsoft Outlook 2002 open HTML e-mail in the Restricted sites zone. Additionally, Microsoft Outlook 98 and Microsoft Outlook 2000 open HTML e-mail in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Customers who use any of these products are at no risk from an e-mail-borne attack that tries to automatically take a user to a malicious Web site and exploit this vulnerability. - A flaw in Internet Explorer may permit an attacker to use the showHelp functionality to either read a local file on a user’s local system or, potentially, to disclose user information. An attacker must lure a user to a malicious Web site, and the attacker also must either know the exact path of the local file or persuade the user to click a link at the malicious Web site and therefore disclose the user’s information. An attacker can also exploit this vulnerability to run local executables with parameters.
The attacker has no way to force a user to a malicious Web site. By default, Outlook Express 6.0 and Outlook 2002 open HTML e-mail in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Customers who use any of these products are at no risk from an e-mail-borne attack that tries to automatically take a user to a malicious Web site and exploit this vulnerability unless the user clicks a link in the e-mail message.
Important: The patch discussed in this article addresses the vulnerability by making sure that the correct cross-domain security checks occur whenever showHelp functionality is used. However, when you apply the patch, this disables HTML Help functionality because HTML Help was one of the attack vectors. To restore HTML Help functionality, you are also encouraged to download the update to HTML Help update after you apply this cumulative patch. For additional information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:811630 HTML Help Update to Limit Functionality When It Is Invoked with the Window.showHelp( ) Method
Note This patch also addresses an issue that prevented previous cumulative patches for Internet Explorer from successfully installing on Microsoft Windows XP-based computers in noninteractive mode (for example, by using Windows Task Scheduler, Microsoft Systems Management Server, or the IBM Tivoli software).
For more information about this patch, visit the following Microsoft Web site:
MORE INFORMATION
Download Information
To install this patch, visit the following Windows Update site and install Critical Update: 810847:
Administrators can download this update from the Microsoft Download Center or the Windows Update Catalog to deploy to multiple computers. If you want to obtain this update to install later on one or more than one computer, search for this article ID number by using the Advanced Search Options feature in the Windows Update Catalog. For additional information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:
323166 HOW TO: Download Windows Updates and Drivers from the Windows Update Catalog
To download this update from the Microsoft Download Center, visit the following Microsoft Web site:
For additional information about how to download files from the Microsoft Download Center, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.
Installation Information
Prerequisites
To install the Internet Explorer 6 version of this update, you must be running Internet Explorer 6 (Version 6.00.2600.0000) on Windows XP. To install the Internet Explorer 6 Service Pack 1 (SP1) versions of this update, you must be running Internet Explorer 6 SP1 (6.00.2800.1106) on Windows XP SP1, Windows 2000 SP2 or SP3, Windows NT 4.0 SP6a, Windows Millennium Edition, or Windows 98 Second Edition. To install the Internet Explorer 5.5 version of this update, you must be running Internet Explorer 5.5 Service Pack 2 (SP2) (Version 5.50.4807.2300) on Windows 2000 SP3, Windows NT 4.0 SP6a, Windows Millennium Edition, or Windows 98 Second Edition. To install the Internet Explorer 5.01 version of this update, you must be running Internet Explorer 5.01 Service Pack 3 (SP3) (Version 5.00.3502.1000) on Windows 2000 SP3. For additional information about how to determine which version of Internet Explorer you are running, click the following article number to view the article in the Microsoft Knowledge Base:
164539 How to Determine Which Version of Internet Explorer Is Installed
For additional information about support lifecycles for Windows operating system components, visit the following Microsoft Web site:
For additional information about how to obtain SP1 for Internet Explorer 6, click the following article number to view the article in the Microsoft Knowledge Base:
328548 How to Obtain the Latest Service Pack for Internet Explorer 6
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5
For additional information about how to obtain SP3 for Internet Explorer 5.01, click the following article number to view the article in the Microsoft Knowledge Base:
267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack
Reboot Requirement
For the Internet Explorer 6 SP1 package, you must restart your computer to complete the installation of this update. For all other versions of this package you must restart your computer and log on as an administrator to complete the installation of this update.
Previous Update Status
This update supercedes the updates listed in the Summary section of this article.
Setup Switches
The update packages for this patch support the following switches:
- /q Specifies Quiet mode or suppresses messages when the files are being extracted.
- /q:u Specifies User-Quiet mode, which presents some dialog boxes to the user.
- /q:a Specifies Administrator-Quiet mode, which does not present any dialog boxes to the user.
- /t:
path
Specifies the target folder for extracting files. - /c Extracts the files without installing them. If /t:
path
is not specified, you are prompted for a target folder. - /c:
path
Specifies the path and name of the Setup .inf file or the .exe file. - /r:n Never restarts the computer after installation.
- /r:i Prompts the user to restart the computer if a restart is required, except when used with /q:a.
- /r:a Always restarts the computer after installation.
- /r:s Restarts the computer after installation without prompting the user.
- /n:v No version checking. Use this switch with caution to install the update on any version of Internet Explorer.
For example, to install the update without any user intervention and to not force the computer to restart, run the following command:
q810847.exe /q:a /r:n
File Information
The English version of this fix has the file attributes (or later) that are listed in the following tables. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are installed in the %Windir%\System folder in Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. They are installed in the %Windir%\System32 folder in Windows NT 4.0, Windows 2000, and Windows XP.
Internet Explorer 6 SP1 (32-bit)
Date Time Version Size File name -------------------------------------------------------------- 02-Dec-2002 15:06 6.0.2800.1141 2,783,232 Mshtml.dll 07-Jan-2003 21:37 6.0.2800.1154 1,338,880 Shdocvw.dll 07-Jan-2003 21:37 6.0.2800.1154 483,328 Urlmon.dll
Internet Explorer 6 SP1 (64-bit)
Date Time Version Size File name -------------------------------------------------------------- 02-Dec-2002 17:33 6.0.2800.1141 9,065,984 Mshtml.dll IA64 08-Jan-2003 00:07 6.0.2800.1154 3,648,000 Shdocvw.dll IA64 08-Jan-2003 00:11 6.0.2800.1154 1,411,584 Urlmon.dll IA64
Internet Explorer 6
Date Time Version Size File name -------------------------------------------------------------- 02-Dec-2002 13:35 6.0.2723.2500 2,761,728 Mshtml.dll 02-Dec-2002 13:38 6.0.2722.900 34,304 Pngfilt.dll 05-Mar-2002 00:09 6.0.2715.400 548,864 Shdoclc.dll 05-Nov-2002 16:01 6.0.2723.100 1,336,320 Shdocvw.dll 02-Dec-2002 13:38 6.0.2715.400 109,568 Url.dll 11-Oct-2002 16:53 6.0.2722.900 481,280 Urlmon.dll 06-Jun-2002 17:38 6.0.2718.400 583,168 Wininet.dll
Internet Explorer 5.5 SP2
Date Time Version Size File name -------------------------------------------------------------- 02-Dec-2002 13:41 5.50.4923.2500 2,757,904 Mshtml.dll 17-Oct-2002 00:01 5.50.4922.900 48,912 Pngfilt.dll 04-Nov-2002 14:27 5.50.4923.500 1,149,200 Shdocvw.dll 05-Mar-2002 01:53 5.50.4915.500 84,240 Url.dll 15-Oct-2002 21:41 5.50.4922.900 451,344 Urlmon.dll 06-Jun-2002 21:27 5.50.4918.600 481,552 Wininet.dll
Internet Explorer 5.01 SP3 (Windows 2000 Only)
Date Time Version Size File name -------------------------------------------------------------- 09-Jan-2003 22:40 5.0.3513.900 2,361,104 Mshtml.dll 14-Oct-2002 15:28 5.0.3510.1100 48,912 Pngfilt.dll 09-Jan-2003 22:41 5.0.3513.900 1,108,752 Shdocvw.dll 05-Mar-2002 01:53 5.50.4915.500 84,240 Url.dll 09-Jan-2003 22:42 5.0.3513.900 451,344 Urlmon.dll 07-Jun-2002 23:56 5.0.3506.1000 461,584 Wininet.dll
Note Because of file dependencies, these updates may also contain additional files.
Known Issues
- If you previously installed the hotfix that is described in Microsoft Knowledge Base article 329802, the symptoms described in Microsoft Knowledge Base articles 329802 or 813951 may reoccur after you install this update. To resolve this problem, install the 813951 Critical Update. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
813951 You Cannot Access Your MSN E-mail Account or Authenticate with a Web Site in Various Programs
- Some of the files updated by the patch discussed in this article are replaced with earlier versions if you remove (uninstall) the Critical Update discussed in the following Microsoft Knowledge Base article:
810565 Hyperlinks Open in Internet Explorer Instead of in Default Browser or Help and Support Center
When this occurs, "Q810847" is still displayed on the Update Versions line in the About Internet Explorer dialog box (on the Help menu) and the registry information related to this update is still present. Therefore, Windows Update does not offer this update to you automatically. To resolve this problem, reinstall the update discussed in this article. To do this, visit the following Microsoft Web site and download the patch:
- This patch may replace some files from a previously installed Internet Explorer hotfix, or you may receive the following error message when you try to install this patch:
To resolve this problem, follow these steps:- If the symptoms that caused you to obtain the previous hotfix recur (because this patch replaced some files from the previously installed Internet Explorer hotfix), reinstall the hotfix.
Note If the hotfix contains later versions of the files that are contained in this patch, this security update is included with the hotfix. - If you receive this error message, first make sure that you are installing the correct version of this patch. Internet Explorer updates are specific to the version of Internet Explorer that you are running (including service pack level and any hotfixes) and language locale. For example, do not install an update for English Internet Explorer 6 on a computer that is running German Internet Explorer 6 or English Internet Explorer 6 SP1. If you are sure that you have the correct version of this patch, use the /n:v switch to install this patch, and then reinstall the previously installed Internet Explorer hotfix (if you now need to).
Note If the hotfix contains later versions of the files that are contained in this patch, this security update is included with the hotfix.
To confirm that you have the correct update package for this patch, follow these steps:- Click Start, and then click Run.
- Type the following command to extract the contents of the update package to a temporary folder (c:\q810847 in this example):
path
\Q810847.exe /c /t:c:\q810847 - Click Start, and then click Search (or point to Search, and then click For Files and Folders).
- In the All or part of the file name box, type Shdocvw.dll, and then click Search (or Search Now).
- After the search results are displayed, right-click the Shdocvw.dll file in your Windows\System32 folder, and then click Properties.
- Click the Version tab, and then note the File version value.
- Click Language, and then note the value.
- Click OK.
- Repeat steps E through G for the Shdocvw.dll file in your C:\Q810847 folder.
- If the version of Shdocvw.dll in the C:\Q810847 folder is later (a higher number) than the version in your Windows\System32 folder, but is earlier (a lower number) than the next available version of Internet Explorer (from 164539), you have the correct version of this patch.
Note If the language value is different, either obtain the correct update package for your Windows language version or use the /n:v switch to install this patch over an English version of Windows with Multilingual Menus and Dialog Boxes for Internet Explorer or the Windows 2000 or Windows XP MultiLanguage Version.
- If the symptoms that caused you to obtain the previous hotfix recur (because this patch replaced some files from the previously installed Internet Explorer hotfix), reinstall the hotfix.
- When you try to install the Internet Explorer 5.01 SP3 version of this update on a computer that is not running Windows 2000 SP3 (with Internet Explorer 5.01 SP3), you receive the following error message: This error message is incorrect. To install the Internet Explorer 5.01 version of this patch, you must have the version of Internet Explorer 5.01 that is included with Windows 2000 SP3 (Version 5.00.3502.1000) installed.
- For additional information about known issues that may occur after you install this update, click the following article number to view the article in the Microsoft Knowledge Base:
325192 Issues After You Install Updates to Internet Explorer or Windows
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Keywords: kberrmsg kbinfo kbfix kbqfe KB810847