MS01-058: File Vulnerability Patch for Internet Explorer 5.5 and Internet Explorer 6 (313675)


The information in this article applies to:

  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 2
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 2
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 2
  • Microsoft Internet Explorer 5.5 for Windows 95 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 95 SP 2
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 2
  • Microsoft Internet Explorer version 6 for Windows XP
  • Microsoft Internet Explorer version 6 for Windows 2000
  • Microsoft Internet Explorer version 6 for Windows NT 4.0
  • Microsoft Internet Explorer version 6 for Windows Millennium Edition
  • Microsoft Internet Explorer version 6 for Windows 98 Second Edition
  • Microsoft Internet Explorer version 6 for Windows 98
This article was previously published under Q313675

SYMPTOMS

This article describes an Internet Explorer file vulnerability and provides information about how to obtain a patch to resolve the vulnerability. Note that these vulnerabilities affect both Internet Explorer versions 5.5 and 6, unless otherwise specified.

The first vulnerability involves a flaw in the handling of the Content-Disposition and Content-Type header fields in a HyperText Markup Language (HTML) stream. These fields, the hosting Uniform Resource Locator (URL), and the hosted file data determine how a file is handled upon download in Internet Explorer. A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make Internet Explorer interpret that an executable (.exe) file was actually a different type of file, one that it is appropriate to open without asking the user for confirmation. This could enable the attacker to create a Web page or HTML e-mail message that, when opened, would automatically run an .exe file on the user's computer.

The second vulnerability is a variant of the Frame Domain Verification vulnerability that is described in Microsoft Security Bulletin MS01-015. The vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on the user's local file system, and to pass information from the latter to the former. This could enable the Web site operator to read (but not change) any file on the user's local computer that could be opened in a browser window.

The third vulnerability involves a flaw that is related to the display of file names in the File Download dialog box. When a file download is initiated, a dialog provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialog box. This could be invoked from a Web page or in an HTML e-mail message in an attempt to trick users into accepting unsafe file types from a trusted source.

File Execution Vulnerability

This vulnerability could not be exploited if file downloads have been disabled in the security zone from which the file is being received. In most attempts to maliciously exploit this vulnerability, the file would be received from the Internet or Intranet zone. Because of this, you can disable file downloads in these zones to provide protection. However, this is not the default setting for either of these zones. This affects Internet Explorer 6.0 only.

Frame Domain Verification Variant

The vulnerability could only be used to view files. It could not be used to create, delete, modify or run them. The vulnerability would only allow an attacker to read files that can be can be opened in a browser window, such as image files, HTML files, and text files. Other file types, such as binary files, .exe files, Microsoft Word documents, and so on, could not be read. The attacker would have to have knowledge of the exact file name and location to successfully read the file on the local computer.

File Name Spoofing Vulnerability

The determination about choosing to accept a file download from an Internet site should always be based on the trustworthiness of the source and not on the file type. File downloads should never be accepted from an untrusted source, no matter how harmless the type may appear to be.

RESOLUTION

In addition to the vulnerabilities discussed in this article, this update eliminates all known security vulnerabilities affecting Internet Explorer 5.5 Service Pack 2 (SP2) and Internet Explorer 6.

After you apply this update, ASP cookies are blocked if the servername has non DNS supported characters in it. Customers who are currently using ActiveX controls with Inline Data Streaming have the following options:
  • Install Internet Explorer Security patch MS01-058 and rewrite any applications using Inline Data Streaming. This is the most secure option.
  • Install the patch and work with your Technical Account Manager (TAM) or Microsoft Customer Support at 1-866-727-2338 (1-866-PCSafety) to enable Inline Data Streaming and to properly configure your Security Zones settings.

    WARNING: Enabling the registry key will compromise one of the security fixes in Q313675, so please be sure you make the appropriate Zone settings to mitigate your risk.

Internet Explorer 6

To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Internet Explorer 6 Service Pack

The "Security Update, December 13, 2001" patch is superseded by the following patch:

316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer

The "Security Update, December 13, 2001" patch is available at the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/critical/q313675/default.asp


Internet Explorer 5.5

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Internet Explorer 5.5 that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The "Security Update, December 13, 2001" patch is superseded by the following patch:

316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer

The "Security Update, December 13, 2001" patch is available at the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/critical/q313675/default.asp

NOTE: You must be running Internet Explorer 5.5 Service Pack 2 (SP2) to install this patch. For additional information about how to obtain Internet Explorer 5.5 SP2, click the article number below to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5


STATUS

Internet Explorer 6

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.

Internet Explorer 5.5

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Internet Explorer 5.5.

MORE INFORMATION

For additional information about the available switches for the installation of this update, click the article number below to view the article in the Microsoft Knowledge Base:

200007 Internet Explorer Batch Mode Setup Switches

For more information on this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-058.mspx

Modification Type:MinorLast Reviewed:6/7/2005
Keywords:kbbug kbenv kbfix kbIE550PreSP3fix kbIE600preSP1fix kbSecurity kbIE600sp1fix KB313675
©2004 Microsoft Corporation. All rights reserved.