Article ID: 828750
Article Last Modified on 7/30/2007
APPLIES TO
- Microsoft Internet Explorer 6.0, when used with:
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows XP Professional
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows XP Professional for Itanium-based systems
- Microsoft Internet Explorer 6.0 Service Pack 1, when used with:
- Microsoft Windows XP Professional
- Microsoft Windows XP Embedded
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows NT 4.0 Service Pack 6a
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 6.0, when used with:
- Microsoft Windows XP Professional for Itanium-based systems
- Microsoft Internet Explorer 5.5, when used with:
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows NT 4.0 Service Pack 6a
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Second Edition
- Microsoft Internet Explorer 5.01 Service Pack 4, when used with:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Internet Explorer 5.01 Service Pack 3, when used with:
- Microsoft Windows 2000 Service Pack 3
Technical Updates
- October 1, 2003: Originally published.
- October 15, 2003: Updated the "Prerequisites" section to indicate that you can install the security patch on Windows NT Workstation 4.0 SP6a and Windows 2000 SP2.
SYMPTOMS
This is a cumulative security patch for Microsoft Internet Explorer that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5, and 6. Additionally, this security patch eliminates the following newly discovered vulnerabilities:
- A vulnerability that occurs because Internet Explorer does not correctly determine an object type that is returned from a Web server in a pop-up window. An attacker who exploits this vulnerability could run arbitrary programs on your computer. If you were to visit an attacker's Web site, the attacker could exploit this vulnerability without any other action on your part. An attacker could also create an HTML–based e-mail message that could exploit this vulnerability.
- A vulnerability that occurs because Internet Explorer does not correctly determine an object type that is returned from a Web server during XML data binding. An attacker who exploits this vulnerability could run arbitrary programs on your computer. If you were to visit an attacker's Web site, the attacker could exploit this vulnerability without any other action on your part. An attacker could also create an HTML–based e-mail message that could exploit this vulnerability.
Microsoft has changed the method that Internet Explorer uses to handle Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted zone. An attacker who exploits a separate vulnerability could cause Internet Explorer to run script code in the security context of the Internet zone. Additionally, an attacker could use the Microsoft Windows Media Player ability to open Web addresses (or URLs) in the context of the Local Computer zone from a separate zone to construct an attack. An attacker could also create an HTML-based e-mail message that could exploit this behavior.
To exploit these flaws, the attacker would have to create a specially formed HTML–based e-mail message and send the message to you. Or, an attacker could host a malicious Web site that contains a Web page that is designed to exploit these vulnerabilities. The attacker would then have to persuade you to visit that Web site.
As with the previous Internet Explorer cumulative security patch that was released with security bulletin MS03-032 (822925), this cumulative patch causes the window.showHelp method to stop working if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you can still use HTML Help functionality after you apply this security patch. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
811630 HTML Help update to limit functionality when it is invoked with the window.showHelp( ) method
In addition to applying this security patch, Microsoft recommends that you also install the Windows Media Player update that is described in Microsoft Knowledge Base article 828026. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
828026 Update for Windows Media Player URL script command behavior
This update is available from the Microsoft Windows Update Web site and from the Microsoft Download Center for all supported versions of Windows Media Player. Although it is not a security patch, this update contains a change to the behavior of the Windows Media Player ability to open Web addresses. This change can help to protect against DHTML behavior-based attacks. Specifically, this update restricts the Windows Media Player ability to open Web addresses in the Local Computer zone from other zones.
Mitigating Factors
- By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default Internet Explorer configuration helps to block these attacks. If Internet Explorer Enhanced Security Configuration has been disabled, the protections that help to prevent these vulnerabilities from being exploited are removed.
- In the Web-based attack scenario, the attacker would have to host a Web site that contains a Web page to exploit these vulnerabilities. An attacker would have no way to force you to visit a malicious Web site except for the HTML e-mail message vector. Instead, the attacker would have to lure you to the site, typically by causing you to click a link that takes you to the attacker's site.
- Exploiting the vulnerability would allow the attacker only the same credentials as your credentials. Accounts that are configured to have few credentials on the computer are at less risk than accounts that operate with administrator credentials.
Notes
- As with the previous Internet Explorer cumulative security patch that was released with security bulletin MS03-032 (822925), this cumulative security patch also sets the Kill bit on the following ActiveX controls:
Description File name CLSID Reference Microsoft HTML Help control Hhctrl.ocx ADB880A6-D8FF-11CF-9377-00AA003B7A11 323255 ActiveX plug-in control Plugin.ocx 06DD38D3-D187-11CF-A80D-00C04FD74AD8 813489 DirectX Files Viewer control XWeb.ocx {970C7E08-05A7-11D0-89AA-00A0C9054129} 810202 Microsoft Windows Reporting Tool BR549.dll {167701E3-FDCF-11D0-A48E-006097C549FF} 822925 For more information about the Kill bit, click the following article number to view the article in the Microsoft Knowledge Base:
240797 How to stop an ActiveX control from running in Internet Explorer
- Because this security patch sets the Kill bit on the Microsoft HTML Help control, you may experience broken links in Help if you have not installed the updated HTML Help control from Microsoft Knowledge Base article 811630. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
811630 HTML Help update to limit functionality when it is invoked with the window.showHelp( ) method
- As with the previous Internet Explorer cumulative patch that was released with security bulletin MS03-032 (822925), this cumulative security patch causes the window.showHelp method to stop working if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you can still use HTML Help functionality after you apply this update. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
811630 HTML Help update to limit functionality when it is invoked with the window.showHelp( ) method
RESOLUTION
Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
Hotfix information
Download Information
To download and install this update, visit the Microsoft Windows Update Web site, and then install critical update 828750:
Administrators can download this update from the Microsoft Download Center or from the Microsoft Windows Update Catalog to deploy to multiple computers. If you want to install this update later on one or more computers, search for this article ID number by using the Advanced Search Options feature in the Windows Update Catalog. For more information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:
323166 How to download updates and drivers from the Windows Update Catalog
To download this update from the Microsoft Download Center, visit the following Microsoft Web site:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation Information
You must be logged on as an administrator to install this update. To download and install this update, visit the Windows Update Web site, and then install critical update 828750:
To install a downloaded version of this update, run the 828750 critical update package that you downloaded by using the appropriate Setup switches . Administrators can deploy this update by using Microsoft Software Update Services (SUS). For additional information about SUS, click the following article number to view the article in the Microsoft Knowledge Base:
810796 Software Update Services Overview white paper available
To verify that this update has been installed, use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, see the following Microsoft Web site:
You may also be able to verify that this update has been installed by using any of the following methods:
- Confirm that Q828750 is listed in the Update Versions field in the About Internet Explorer dialog box. You cannot use this method on Windows Server 2003 or on Windows XP 64-Bit Edition, Version 2003 because the package does not update the Update Versions field for these versions of Windows.
- Compare the versions of the updated files on your computer with the files that are listed in the "File Information" section in this article.
- Confirm that the following registry entries exist.
- Windows Server 2003 and Windows XP 64-Bit Edition, Version 2003:
Confirm that theInstalled
DWORD value with a data value of 1 appears in the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828750
- All other versions of Windows:
Confirm that theIsInstalled
DWORD value with a data value of 1 appears in the following registry key:HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}
- Windows Server 2003 and Windows XP 64-Bit Edition, Version 2003:
Prerequisites
Microsoft has tested the versions of Windows and the versions of Internet Explorer that are listed in this article to assess whether they are affected by these vulnerabilities, and to confirm that the update that this article describes addresses these vulnerabilities.
To install the Internet Explorer 6 for Windows Server 2003 versions of this update, you must be running Internet Explorer 6 (version 6.00.3790.0000) on Windows Server 2003 (32-bit or 64-bit) or you must be running Internet Explorer 6 on Windows XP 64-Bit Edition, Version 2003.
To install the Internet Explorer 6 Service Pack 1 (SP1) versions of this update, you must be running Internet Explorer 6 SP1 (version 6.00.2800.1106) on Windows XP 64-Bit Edition, Version 2002; Windows XP SP1; Windows XP; Windows 2000 Service Pack 4 (SP4); Windows 2000 Service Pack 3 (SP3); Windows 2000 Service Pack 2 (SP2); Windows NT Workstation and Server 4.0 Service Pack 6a (SP6a); Windows NT Server 4.0 Terminal Server Edition SP6; or Windows Millennium Edition.
To install the Internet Explorer 6 version of this update, you must be running Internet Explorer 6 (version 6.00.2600.0000) on Windows XP.
To install the Internet Explorer 5.5 version of this update, you must be running Internet Explorer 5.5 Service Pack 2 (version 5.50.4807.2300) on Windows 2000 SP4, Windows 2000 SP3, Windows 2000 SP2, Windows NT Workstation and Server 4.0 SP6a, Windows NT Server 4.0 Terminal Server Edition SP6, or Windows Millennium Edition.
To install the Internet Explorer 5.01 version of this update, you must be running Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on Windows 2000 SP4 or you must be running Internet Explorer 5.01 Service Pack 3 (version 5.00.3502.1000) on Windows 2000 SP3.
Note Versions of Windows and versions of Internet Explorer that are not listed in this article are either in the extended phase of the product life cycle or are no longer supported. Although you can install some of the update packages that are described in this article on these versions of Windows and of Internet Explorer, Microsoft has not tested these versions to assess whether they are affected by these vulnerabilities or to confirm that the update that this article describes addresses these vulnerabilities. Microsoft recommends that you upgrade to a supported version of Windows and of Internet Explorer, and then apply the appropriate update. If you are running a version of Windows or of Internet Explorer that is in the extended phase of the product life cycle, and if you have an Extended Support contract, contact your Technical Account Manager (TAM) or your Applications Development Consultant (ADC) for information about an update for your configuration.
For more information about how to determine which version of Internet Explorer you are running, click the following article number to view the article in the Microsoft Knowledge Base:
164539 How to determine which version of Internet Explorer is installed
For additional information about support life cycles for Windows components, visit the following Microsoft Web site:
For additional information about how to obtain Internet Explorer 6 SP1, click the following article number to view the article in the Microsoft Knowledge Base:
328548 How to Obtain the Latest Service Pack for Internet Explorer 6
For more information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:
276369 How to obtain the latest service pack for Internet Explorer 5.5
For more information about how to obtain Internet Explorer 5.01 SP3, click the following article number to view the article in the Microsoft Knowledge Base:
267954 How to obtain the latest Internet Explorer 5.01 service pack
Restart Requirements
For the Internet Explorer 6 versions of this update, you must restart your computer to complete the installation. For the Internet Explorer 5.01 and the Internet Explorer 5.5 versions of this update, you must restart your computer, and then log on as an administrator to complete the installation on Windows NT 4.0-based and Windows 2000-based computers.
Previous Update Status
This update replaces the MS03-032: August, 2003, Cumulative Patch for Internet Explorer (822925).
Setup Switches
The Windows Server 2003 versions of this security patch (including Windows XP 64-Bit Edition, Version 2003) support the following Setup switches:
- /?: Show the list of installation switches.
- /u: Use Unattended mode.
- /f: Force other programs to quit when the computer shuts down.
- /n: Do not back up files for removal.
- /o: Overwrite OEM files without prompting.
- /z: Do not restart when the installation is complete.
- /q: Use Quiet mode (no user interaction).
- /l: List the installed hotfixes.
- /x: Extract the files without running Setup.
For example, to install the Windows Server 2003 32-bit security patch without any user intervention, use the following command:
windowsserver2003-kb828750-x86-enu.exe /u /q
To install this security patch without forcing the computer to restart, use the following command:
windowsserver2003-kb828750-x86-enu.exe /z
Note You can combine these switches in one command.
For information about how to deploy this security patch by using Software Update Services, visit the following Microsoft Web site:
The other update packages for this security patch support the following switches:
- /q: Use Quiet mode or suppress messages when the files are being extracted.
- /q:u: Use User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.
- /q:a: Use Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.
- /t:
path
: Specify the location of the temporary folder that is used by Setup or the target folder for extracting the files (when you are using the /c switch). - /c: Extract the files without installing them. If you do not specify the /t:
path
switch, you are prompted for a target folder. - /c:
path
: Specify the path and the name of the Setup .inf file or the .exe file. - /r:n: Never restart the computer after installation.
- /r:i: Prompt the user to restart the computer if a restart is required, except when this switch is used with the /q:a switch.
- /r:a: Always restart the computer after installation.
- /r:s: Restart the computer after installation without prompting the user.
- /n:v: Do not check the version. Use this switch with caution to install the update on any version of Internet Explorer.
For example, to install the update without any user intervention and not to force the computer to restart, use the following command:
q828750.exe /q:a /r:n
File Information
The English version of this security patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are installed in the %Windir%\System folder on Windows 98 Second Edition and on Windows Millennium Edition. They are installed in the %Windir%\System32 folder on Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003.
Internet Explorer 6 (32-bit) for Windows Server 2003
Date Time Version Size File name ------------------------------------------------------- RTMQFE 22-Sep-2003 19:11 6.0.3790.89 2,917,888 Mshtml.dll 22-Sep-2003 19:11 6.0.3790.85 1,394,176 Shdocvw.dll 22-Sep-2003 19:11 6.0.3790.84 509,440 Urlmon.dll RTMGDR 22-Sep-2003 19:14 6.0.3790.88 2,917,888 Mshtml.dll 22-Sep-2003 19:14 6.0.3790.85 1,394,176 Shdocvw.dll 22-Sep-2003 19:14 6.0.3790.84 509,440 Urlmon.dll
Internet Explorer 6 (64-bit) for Windows Server 2003 64-bit versions and for Windows XP 64-Bit Edition, Version 2003
Date Time Version Size File name Platform ------------------------------------------------------------------ RTMQFE 22-Sep-2003 19:06 6.0.3790.89 8,210,944 Mshtml.dll IA-64 22-Sep-2003 19:06 6.0.3790.89 3,359,232 Shdocvw.dll IA-64 22-Sep-2003 19:06 6.0.3790.87 1,271,808 Urlmon.dll IA-64 22-Sep-2003 19:11 6.0.3790.89 2,917,888 Wmshtml.dll x86 22-Sep-2003 19:11 6.0.3790.85 1,394,176 Wshdocvw.dll x86 22-Sep-2003 19:11 6.0.3790.84 509,440 Wurlmon.dll x86 RTMGDR 22-Sep-2003 19:10 6.0.3790.88 8,210,944 Mshtml.dll IA-64 22-Sep-2003 19:10 6.0.3790.85 3,359,744 Shdocvw.dll IA-64 22-Sep-2003 19:10 6.0.3790.87 1,271,808 Urlmon.dll IA-64 22-Sep-2003 19:14 6.0.3790.88 2,917,888 Wmshtml.dll x86 22-Sep-2003 19:14 6.0.3790.85 1,394,176 Wshdocvw.dll x86 22-Sep-2003 19:14 6.0.3790.84 509,440 Wurlmon.dll x86
Internet Explorer 6 SP1 (32-bit) for Windows XP SP1, Windows XP, Windows 2000 SP3, Windows 2000 SP4, Windows NT 4.0 SP6a, Windows Millennium Edition, and Windows 98 Second Edition
Date Time Version Size File name --------------------------------------------------------- 18-Sep-2003 22:28 6.0.2800.1264 2,793,984 Mshtml.dll 23-May-2003 17:15 6.0.2800.1203 1,338,880 Shdocvw.dll 13-Jul-2003 20:05 6.0.2800.1226 395,264 Shlwapi.dll 10-Sep-2003 11:48 6.0.2800.1259 444,928 Urlmon.dll
Internet Explorer 6 SP1 (64-bit) for Windows XP 64-Bit Edition, Version 2002
Date Time Version Size File name Platform ------------------------------------------------------------------- 18-Sep-2003 21:16 6.0.2800.1264 9,079,808 Mshtml.dll IA-64 23-May-2003 16:39 6.0.2800.1203 3,648,000 Shdocvw.dll IA-64 13-Jul-2003 19:27 6.0.2800.1226 1,095,168 Shlwapi.dll IA-64 10-Sep-2003 11:51 6.0.2800.1259 1,412,608 Urlmon.dll IA-64
Internet Explorer 6 (32-bit) for Windows XP
Date Time Version Size File name --------------------------------------------------------- 18-Sep-2003 21:51 6.0.2733.1800 2,763,264 Mshtml.dll 11-Jul-2003 14:59 6.0.2722.900 34,304 Pngfilt.dll 05-Mar-2002 00:09 6.0.2715.400 548,864 Shdoclc.dll 22-May-2003 22:49 6.0.2729.2200 1,336,320 Shdocvw.dll 11-Jul-2003 14:59 6.0.2730.1200 391,168 Shlwapi.dll 11-Jul-2003 14:59 6.0.2715.400 109,568 Url.dll 10-Sep-2003 11:38 6.0.2733.1000 442,880 Urlmon.dll 06-Jun-2002 17:38 6.0.2718.400 583,168 Wininet.dll
Internet Explorer 5.5 SP2 for Windows 2000 SP4, Windows 2000 SP3, Windows NT 4.0 SP6a, Windows Millennium Edition, and Windows 98 Second Edition
Date Time Version Size File name ---------------------------------------------------------- 18-Sep-2003 21:26 5.50.4933.1800 2,759,952 Mshtml.dll 17-Oct-2002 00:01 5.50.4922.900 48,912 Pngfilt.dll 22-May-2003 23:09 5.50.4929.2200 1,149,200 Shdocvw.dll 12-Jun-2003 20:24 5.50.4930.1200 300,816 Shlwapi.dll 05-Mar-2002 01:53 5.50.4915.500 84,240 Url.dll 10-Sep-2003 11:31 5.50.4933.1000 408,848 Urlmon.dll 06-Jun-2002 21:27 5.50.4918.600 481,552 Wininet.dll
Internet Explorer 5.01 for Windows 2000 SP4 and for Windows 2000 SP3
Date Time Version Size File name --------------------------------------------------------- 18-Sep-2003 20:36 5.0.3809.1800 2,282,768 Mshtml.dll 12-Jun-2003 23:15 5.0.3806.1200 48,912 Pngfilt.dll 12-Jun-2003 23:08 5.0.3806.1200 1,099,536 Shdocvw.dll 12-Jun-2003 23:07 5.0.3806.1200 279,824 Shlwapi.dll 05-Mar-2002 01:53 5.50.4915.500 84,240 Url.dll 10-Sep-2003 11:22 5.0.3809.1000 409,360 Urlmon.dll 12-Jun-2003 23:16 5.0.3806.1200 445,200 Wininet.dll
Notes
- When you install this security patch on a Windows Server 2003-based or on a Windows XP 64-Bit Edition, Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages
- Because of file dependencies and Setup or removal requirements, these update packages may also contain additional files.
Removal Information
To remove this update, use the Add or Remove Programs tool (or the Add/Remove Programs tool) in Control Panel. Click Internet Explorer Q828750 , and then click Change/Remove (or click Add/Remove ).
On Windows Server 2003 and on Windows XP 64-Bit Edition, Version 2003, system administrators can use the Spunist.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828750$\Spuninst folder. This utility supports the following Setup switches:
- /?: Show the list of installation switches.
- /u: Use Unattended mode.
- /f: Force other programs to quit when the computer shuts down.
- /z: Do not restart when the installation is complete.
- /q: Use Quiet mode (no user interaction).
On all other versions of Windows, system administrators can use the Ieuninst.exe utility to remove this update. This security patch installs the Ieuninst.exe utility in the %Windir% folder. This utility supports the following command-line switches:
- /?: Show the list of supported switches.
- /z: Do not restart when the installation is complete.
- /q: Use Quiet mode (no user interaction).
For example, to remove this update quietly, use the following command:
c:\windows\ieuninst /q c:\windows\inf\q828750.inf
Note This command assumes that Windows is installed in the C:\Windows folder.
WORKAROUND
These workarounds are temporary measures because they only help to block paths of attack. These workarounds do not correct the underlying vulnerability. Microsoft encourages you to install the security patch at your earliest opportunity.
The following workarounds are intended to give you information to help to protect your computer from attack.
- Prompt before running ActiveX controls in the Internet and Intranet zones
You can help to protect against this vulnerability by changing your settings for the Internet security zone to prompt you before running ActiveX components. To do this, follow these steps:- In Internet Explorer, click Internet Options on the Tools menu.
- Click the Security tab.
- Click the Internet zone, and then click Custom Level.
- Under Run ActiveX controls and plug-ins, click Prompt .
- Click OK.
- Click the Local Intranet zone, and then click Custom Level.
- Under Run ActiveX controls and plug-ins, click Prompt.
- Click OK, and then click OK to return to Internet Explorer.
- Restrict Web sites to only your trusted Web sites
After you configure Internet Explorer to prompt you before running ActiveX controls in the Internet and the Local Intranet zone, you can add sites that you trust to a list of trusted sites. This allows you to continue using trusted Web sites exactly as you do today, while helping to protect you from the vulnerability that this article describes on untrusted sites. To do this, follow these steps:- In Internet Explorer, click Internet Options on the Tools menu.
- Click the Security tab.
- Click the Trusted Sites zone, and then click Sites.
- If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
- In the Add this Web Site to the zone box, type the Web address (or URL) of a site that you trust, and then click Add. Repeat this for each site that you want to add to the Trusted Sites zone.
- Click OK and then click OK to accept the changes and return to Internet Explorer. Add any sites that you trust not to take malicious action on your computer. For example, you may want to add the "http://windowsupdate.microsoft.com%22 site. This is the Microsoft site that hosts the security patch that this article describes; this site uses an ActiveX control to install the security patch.
- If you are using Microsoft Outlook 2002 or Microsoft Outlook Express 6 SP1 or later, read-email messages in plain text to help to protect yourself from the HTML e-mail message attack vector
If you use Outlook 2002 or Outlook Express 6 SP1 or later, you can turn on a feature to view all e-mail messages that are not digitally signed or encrypted in plain text only. Digitally signed or encrypted e-mail messages are not affected by this setting and you can view them in their original formats. For more information about using this setting in Outlook 2002, click the following article number to view the article in the Microsoft Knowledge Base:307594 Description of a new feature that users can use to read non-digitally-signed e-mail or nonencrypted e-mail as plain text in Office XP SP-1
For more information about using this setting in Outlook Express 6, click the following article number to view the article in the Microsoft Knowledge Base:
291387 Using virus protection features in Outlook Express 6
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Internet Explorer 6
This problem was first corrected in Microsoft Windows XP Service Pack 2.
MORE INFORMATION
For more information about this security patch, visit the following Microsoft Web site:
Known Issues
- To correctly remove (uninstall) more than one cumulative update for Internet Explorer on a computer that is running Windows Server 2003 or that is running Windows XP 64-Bit Edition, Version 2003, you must remove the updates in the same order that they were installed. For example, if you install 818529, and you then install 828750, you must remove 828750 before you remove 818529.
- On a computer that is running Windows XP, Windows 2000, Windows NT 4.0, Windows Millennium Edition, or Windows 98 Second Edition, after you remove the 828750 critical update, you cannot remove previous cumulative updates for Internet Explorer (such as the 818529 critical update). This behavior is by design. Removing is supported only for the last cumulative update that you installed.
- For more information about known issues that may occur after you install this update, click the following article number to view the article in the Microsoft Knowledge Base:
325192 Issues after you install updates to Internet Explorer or Windows
Keywords: kbhotfixserver atdownload kbwinxpsp2fix kbsecbulletin kbsecvulnerability kbsecurity kbwin2000presp5fix kbwinxppresp2fix kbwinserv2003presp1fix kbqfe kbfix kbbug KB828750