MS03-004: February, 2003, Cumulative Patch for Internet Explorer (810847)

SUMMARY

Microsoft has released a cumulative patch for Internet Explorer. This patch includes updates for the issues that are described in the following Microsoft Knowledge Base articles:

324929 MS02-068: December, 2002, Cumulative Patch for Internet Explorer

328970 MS02-066: November, 2002, Cumulative Patch for Internet Explorer

323759 MS02-047: August 22, 2002, Cumulative Patch for Internet Explorer

321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer

316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer

This cumulative patch also addresses the following two newly discovered vulnerabilities that involve Internet Explorer's cross-domain security model. This security model prevents windows of different domains from sharing information.

A flaw in Internet Explorer may permit a malicious Web site operator to access information in another Internet domain, or on the user's local system, by injecting specially crafted code when certain dialog boxes were presented to the user. In the worst case, this vulnerability may permit an attacker to load a malicious executable onto the system and then run it.

The attacker has no way to force a user to a malicious Web site. By default, Microsoft Outlook Express 6.0 and Microsoft Outlook 2002 open HTML e-mail in the Restricted sites zone. Additionally, Microsoft Outlook 98 and Microsoft Outlook 2000 open HTML e-mail in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Customers who use any of these products are at no risk from an e-mail-borne attack that tries to automatically take a user to a malicious Web site and exploit this vulnerability.
A flaw in Internet Explorer may permit an attacker to use the showHelp functionality to either read a local file on a user's local system or, potentially, to disclose user information. An attacker must lure a user to a malicious Web site, and the attacker also must either know the exact path of the local file or persuade the user to click a link at the malicious Web site and therefore disclose the user's information. An attacker can also exploit this vulnerability to run local executables with parameters.

The attacker has no way to force a user to a malicious Web site. By default, Outlook Express 6.0 and Outlook 2002 open HTML e-mail in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Customers who use any of these products are at no risk from an e-mail-borne attack that tries to automatically take a user to a malicious Web site and exploit this vulnerability unless the user clicks a link in the e-mail message.

Important: The patch discussed in this article addresses the vulnerability by making sure that the correct cross-domain security checks occur whenever showHelp functionality is used. However, when you apply the patch, this disables HTML Help functionality because HTML Help was one of the attack vectors. To restore HTML Help functionality, you are also encouraged to download the update to HTML Help update after you apply this cumulative patch. For additional information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
811630 HTML Help Update to Limit Functionality When It Is Invoked with the Window.showHelp( ) Method

Note This patch also addresses an issue that prevented previous cumulative patches for Internet Explorer from successfully installing on Microsoft Windows XP-based computers in noninteractive mode (for example, by using Windows Task Scheduler, Microsoft Systems Management Server, or the IBM Tivoli software).

For more information about this patch, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-004.mspx

MORE INFORMATION

Download Information

To install this patch, visit the following Windows Update site and install Critical Update: 810847:

http://windowsupdate.microsoft.com

Administrators can download this update from the Microsoft Download Center or the Windows Update Catalog to deploy to multiple computers. If you want to obtain this update to install later on one or more than one computer, search for this article ID number by using the Advanced Search Options feature in the Windows Update Catalog. For additional information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:

323166 HOW TO: Download Windows Updates and Drivers from the Windows Update Catalog

To download this update from the Microsoft Download Center, visit the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/critical/810847/default.mspx

For additional information about how to download files from the Microsoft Download Center, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

Prerequisites

To install the Internet Explorer 6 version of this update, you must be running Internet Explorer 6 (Version 6.00.2600.0000) on Windows XP. To install the Internet Explorer 6 Service Pack 1 (SP1) versions of this update, you must be running Internet Explorer 6 SP1 (6.00.2800.1106) on Windows XP SP1, Windows 2000 SP2 or SP3, Windows NT 4.0 SP6a, Windows Millennium Edition, or Windows 98 Second Edition. To install the Internet Explorer 5.5 version of this update, you must be running Internet Explorer 5.5 Service Pack 2 (SP2) (Version 5.50.4807.2300) on Windows 2000 SP3, Windows NT 4.0 SP6a, Windows Millennium Edition, or Windows 98 Second Edition. To install the Internet Explorer 5.01 version of this update, you must be running Internet Explorer 5.01 Service Pack 3 (SP3) (Version 5.00.3502.1000) on Windows 2000 SP3. For additional information about how to determine which version of Internet Explorer you are running, click the following article number to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

For additional information about support lifecycles for Windows operating system components, visit the following Microsoft Web site:

http://support.microsoft.com/gp/lifesupsps

For additional information about how to obtain SP1 for Internet Explorer 6, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Service Pack for Internet Explorer 6

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5

For additional information about how to obtain SP3 for Internet Explorer 5.01, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

Reboot Requirement

For the Internet Explorer 6 SP1 package, you must restart your computer to complete the installation of this update. For all other versions of this package you must restart your computer and log on as an administrator to complete the installation of this update.

Previous Update Status

This update supercedes the updates listed in the Summary section of this article.

Setup Switches

The update packages for this patch support the following switches:

/q Specifies Quiet mode or suppresses messages when the files are being extracted.
/q:u Specifies User-Quiet mode, which presents some dialog boxes to the user.
/q:a Specifies Administrator-Quiet mode, which does not present any dialog boxes to the user.
/t:path Specifies the target folder for extracting files.
/c Extracts the files without installing them. If /t:path is not specified, you are prompted for a target folder.
/c:path Specifies the path and name of the Setup .inf file or the .exe file.
/r:n Never restarts the computer after installation.
/r:i Prompts the user to restart the computer if a restart is required, except when used with /q:a.
/r:a Always restarts the computer after installation.
/r:s Restarts the computer after installation without prompting the user.
/n:v No version checking. Use this switch with caution to install the update on any version of Internet Explorer.

For example, to install the update without any user intervention and to not force the computer to restart, run the following command:

q810847.exe /q:a /r:n

File Information

The English version of this fix has the file attributes (or later) that are listed in the following tables. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %Windir%\System folder in Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. They are installed in the %Windir%\System32 folder in Windows NT 4.0, Windows 2000, and Windows XP.

Internet Explorer 6 SP1 (32-bit)

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   02-Dec-2002  15:06  6.0.2800.1141   2,783,232  Mshtml.dll       
   07-Jan-2003  21:37  6.0.2800.1154   1,338,880  Shdocvw.dll      
   07-Jan-2003  21:37  6.0.2800.1154     483,328  Urlmon.dll

Internet Explorer 6 SP1 (64-bit)

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   02-Dec-2002  17:33  6.0.2800.1141   9,065,984  Mshtml.dll       IA64
   08-Jan-2003  00:07  6.0.2800.1154   3,648,000  Shdocvw.dll      IA64
   08-Jan-2003  00:11  6.0.2800.1154   1,411,584  Urlmon.dll       IA64

Internet Explorer 6

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
         
   02-Dec-2002  13:35  6.0.2723.2500   2,761,728  Mshtml.dll       
   02-Dec-2002  13:38  6.0.2722.900       34,304  Pngfilt.dll      
   05-Mar-2002  00:09  6.0.2715.400      548,864  Shdoclc.dll      
   05-Nov-2002  16:01  6.0.2723.100    1,336,320  Shdocvw.dll      
   02-Dec-2002  13:38  6.0.2715.400      109,568  Url.dll          
   11-Oct-2002  16:53  6.0.2722.900      481,280  Urlmon.dll
   06-Jun-2002  17:38  6.0.2718.400      583,168  Wininet.dll

Internet Explorer 5.5 SP2

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
         
   02-Dec-2002  13:41  5.50.4923.2500  2,757,904  Mshtml.dll       
   17-Oct-2002  00:01  5.50.4922.900      48,912  Pngfilt.dll
   04-Nov-2002  14:27  5.50.4923.500   1,149,200  Shdocvw.dll      
   05-Mar-2002  01:53  5.50.4915.500      84,240  Url.dll          
   15-Oct-2002  21:41  5.50.4922.900     451,344  Urlmon.dll
   06-Jun-2002  21:27  5.50.4918.600     481,552  Wininet.dll

Internet Explorer 5.01 SP3 (Windows 2000 Only)

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
         
   09-Jan-2003  22:40  5.0.3513.900    2,361,104  Mshtml.dll       
   14-Oct-2002  15:28  5.0.3510.1100      48,912  Pngfilt.dll
   09-Jan-2003  22:41  5.0.3513.900    1,108,752  Shdocvw.dll      
   05-Mar-2002  01:53  5.50.4915.500      84,240  Url.dll          
   09-Jan-2003  22:42  5.0.3513.900      451,344  Urlmon.dll
   07-Jun-2002  23:56  5.0.3506.1000     461,584  Wininet.dll

Note Because of file dependencies, these updates may also contain additional files.

Known Issues

If you previously installed the hotfix that is described in Microsoft Knowledge Base article 329802, the symptoms described in Microsoft Knowledge Base articles 329802 or 813951 may reoccur after you install this update. To resolve this problem, install the 813951 Critical Update. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
813951 You Cannot Access Your MSN E-mail Account or Authenticate with a Web Site in Various Programs
Some of the files updated by the patch discussed in this article are replaced with earlier versions if you remove (uninstall) the Critical Update discussed in the following Microsoft Knowledge Base article:
810565 Hyperlinks Open in Internet Explorer Instead of in Default Browser or Help and Support Center
When this occurs, "Q810847" is still displayed on the Update Versions line in the About Internet Explorer dialog box (on the Help menu) and the registry information related to this update is still present. Therefore, Windows Update does not offer this update to you automatically. To resolve this problem, reinstall the update discussed in this article. To do this, visit the following Microsoft Web site and download the patch:
http://www.microsoft.com/windows/ie/downloads/critical/810847/default.mspx
This patch may replace some files from a previously installed Internet Explorer hotfix, or you may receive the following error message when you try to install this patch:
Microsoft Internet Explorer Update
This update requires Internet Explorer version to be installed.

To resolve this problem, follow these steps:
1. If the symptoms that caused you to obtain the previous hotfix recur (because this patch replaced some files from the previously installed Internet Explorer hotfix), reinstall the hotfix.
  
  Note If the hotfix contains later versions of the files that are contained in this patch, this security update is included with the hotfix.
2. If you receive this error message, first make sure that you are installing the correct version of this patch. Internet Explorer updates are specific to the version of Internet Explorer that you are running (including service pack level and any hotfixes) and language locale. For example, do not install an update for English Internet Explorer 6 on a computer that is running German Internet Explorer 6 or English Internet Explorer 6 SP1. If you are sure that you have the correct version of this patch, use the /n:v switch to install this patch, and then reinstall the previously installed Internet Explorer hotfix (if you now need to).
  
  Note If the hotfix contains later versions of the files that are contained in this patch, this security update is included with the hotfix.
  
  To confirm that you have the correct update package for this patch, follow these steps:
  1. Click Start, and then click Run.
  2. Type the following command to extract the contents of the update package to a temporary folder (c:\q810847 in this example):
    path\Q810847.exe /c /t:c:\q810847
  3. Click Start, and then click Search (or point to Search, and then click For Files and Folders).
  4. In the All or part of the file name box, type Shdocvw.dll, and then click Search (or Search Now).
  5. After the search results are displayed, right-click the Shdocvw.dll file in your Windows\System32 folder, and then click Properties.
  6. Click the Version tab, and then note the File version value.
  7. Click Language, and then note the value.
  8. Click OK.
  9. Repeat steps E through G for the Shdocvw.dll file in your C:\Q810847 folder.
  10. If the version of Shdocvw.dll in the C:\Q810847 folder is later (a higher number) than the version in your Windows\System32 folder, but is earlier (a lower number) than the next available version of Internet Explorer (from 164539), you have the correct version of this patch.
    
    Note If the language value is different, either obtain the correct update package for your Windows language version or use the /n:v switch to install this patch over an English version of Windows with Multilingual Menus and Dialog Boxes for Internet Explorer or the Windows 2000 or Windows XP MultiLanguage Version.
When you try to install the Internet Explorer 5.01 SP3 version of this update on a computer that is not running Windows 2000 SP3 (with Internet Explorer 5.01 SP3), you receive the following error message:
Microsoft Internet Explorer Update
This update requires Internet Explorer 5.01 Service Pack 2 to be installed.
This error message is incorrect. To install the Internet Explorer 5.01 version of this patch, you must have the version of Internet Explorer 5.01 that is included with Windows 2000 SP3 (Version 5.00.3502.1000) installed.
For additional information about known issues that may occur after you install this update, click the following article number to view the article in the Microsoft Knowledge Base:
325192 Issues After You Install Updates to Internet Explorer or Windows

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.