MS02-009 May Cause Incompatibility Problems Between VBScript and Third-Party Applications (319847)


The information in this article applies to:

  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 2
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 2
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 2
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 2
  • Microsoft Internet Explorer 5.01 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 SP 2
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 2
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 2
  • Microsoft Internet Explorer version 6 for Windows XP
  • Microsoft Internet Explorer version 6 for Windows Millennium Edition
  • Microsoft Internet Explorer version 6 for Windows 2000
  • Microsoft Internet Explorer version 6 for Windows NT 4.0
  • Microsoft Internet Explorer version 6 for Windows 98
  • Microsoft Internet Explorer version 6 for Windows 98 Second Edition
This article was previously published under Q319847

SUMMARY

After the release of the Microsoft Security Bulletin MS02-009 patch on February 21, 2002, Microsoft became aware of a compatibility problem with several third-party applications that use an unforeseen behavior in Microsoft Visual Basic Scripting Edition (VBScript). This article explains the compatibility problem, as well as the changes that Microsoft made in the updated version of the MS02-009 patch.

For additional information about this patch and how to obtain it, click the article number below to view the article in the Microsoft Knowledge Base:

318089 MS02-009: Incorrect VBScript Handling in Internet Explorer Can Allow Web Pages to Read Local Files

MORE INFORMATION

VBScript can create an instance of Component Object Model (COM) objects that implement the IDispatch interface. Late-bound calls to functions on COM objects are made through a "dispatch" interface (that is, an interface that takes the name of a method at run time and then "dispatches" the call to the correct method).

Some COM objects implement more than one dispatch interface. Some languages (such as Visual Basic) can call an object on any dispatch interface. Some languages (such as JScript) can only call on the default dispatch interface. If you call the CreateObject method in VBScript, the default dispatch interface is returned, regardless how many secondary interfaces an object supports. However, VBScript does not check if the interface of an object that is returned by the call to a method or a property is the default interface.

Previous versions of Internet Explorer had a security problem in which they could sometimes return an insecure secondary interface to the VBScript engine, which could then use that object in an insecure manner. To fix this problem, Microsoft modified VBScript to always retrieve the default interface. Although this modification mitigated the security vulnerability, it introduced compatibility problems with some legitimate objects.

The updated version of MS02-009 narrows down this restriction to cover only the Internet Explorer objects that are potentially insecure. This patch now allows third-party objects to use non-default dispatch interfaces in VBScript.

For more information about this vulnerability, refer to the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms02-009.asp

Modification Type:MajorLast Reviewed:11/26/2003
Keywords:kbinfo KbSECBulletin kbSecurity KB319847
©2003 Microsoft Corporation. All rights reserved.