DOCUMENT:Q243638 TITLE :Update Available for "IFRAME ExecCommand" Vulnerability in Internet Explorer 5 PRODUCT :Internet Explorer PROD/VER:5.0 OPER/SYS:WINDOWS 98, Windows 95, Windows NT ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Explorer version 5 for Windows 98 - Microsoft Internet Explorer version 5 for Windows 95 - Microsoft Internet Explorer version 5 for Windows NT 4.0 ------------------------------------------------------------------------------- SUMMARY ======= Microsoft has made an update available that addresses a potential security issue relating to the use of the Document.ExecCommand() method when invoked on an IFrame. When you visit a Web site, this issue may enable a malicious Web site operator to read files on your computer, although the name and location of the file would have to be known to exploit this issue. NOTE: Microsoft has not received any reports of adverse effects as a result of this issue. Additional information about this issue is available at the following Microsoft Web sites: http://www.microsoft.com/windows/ie/security/default.asp http://www.microsoft.com/security/bulletins/ms98-042.asp Updates are available for the following products: - Microsoft Internet Explorer 5 for Windows 95 - Microsoft Internet Explorer 5 for Windows NT 4.0 (Alpha and x86) - Microsoft Windows 98 This update also fixes the "Download Behavior" issues in Microsoft Internet Explorer previously documented in the following article in the Microsoft Knowledge Base: Q242542 Download Behavior Vulnerability in Internet Explorer 5 For additional information about this issue, please see the following Microsoft Web site: http://www.microsoft.com/security/bulletins/ms99-040.asp MORE INFORMATION ================ This fix blocks the execCommand only in cases where it is being used cross-domain and from script. To obtain this update, download and install the appropriate Q243638.exe file for your computer from the following Microsoft site: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/ Updated file name Size Date Version ---------------------------------------------------------------- Mshtml.dll 2,355,472 (x86) 10-13-99 5.00.2722.1300 Mshtml.dll 4,983,056 (Alpha) 10-13-99 5.00.2722.1300 After you install this update "Q43638" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer. Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent this behavior from operating by disabling Active Scripting in Internet Explorer 5: 1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab. 2. Click the Internet zone, and then click Custom Level. 3. In the Settings box, locate the Active Scripting item under Scripting, and then click Disable. 4. Click OK, and then click OK. NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting to use a site that you trust, you may want to consider adding the site to the Trusted Sites zone: 1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab. 2. Click the Trusted Sites zone, and then click Sites. 3. Type the Web address (URL) of the site, and then click Add. 4. Click OK, and then click OK. Additional query words: ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.