DOCUMENT:Q240308 TITLE :Update Available for Scriptlet.typlib/Eyedog Security Vulnerability PRODUCT :Internet Explorer PROD/VER:4.0, 4.01, 4.01 SP1, 4.01 SP2, 5.0 OPER/SYS:WINDOWS 98, Windows 95, Windows NT ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Explorer versions 4.0, 4.01 Service Pack 2, 5 for Windows 98 - Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows NT 4.0 - Microsoft Internet Explorer version 5 for Windows 95 ------------------------------------------------------------------------------- SUMMARY ======= Microsoft has released an update that eliminates security vulnerabilities in two ActiveX controls, the Scriptlet.typlib control and the Eyedog control. Although the risk from these controls is serious, it is limited by the user's privileges on the computer. Additional information about this issue is available from the following Microsoft Web site: http://www.microsoft.com/security/bulletins/ms99-032.asp This update eliminates a vulnerability that could allow a malicious Web site operator to take inappropriate actions on your computer and has been posted to the following Internet location: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/ MORE INFORMATION ================ This issue involves two ActiveX controls, the Scriptlet.typlib and Eyedog controls. These controls are not related to each other; their only relationship is that both are incorrectly marked as "safe for scripting" and can therefore be called from Internet Explorer. - The Scriptlet.typlib control is used by developers to generate Type Libraries for Windows Scripting Components. It is should not be marked "safe for scripting" because it allows local files to be created or modified. The update removes the "safe for scripting" marking, causing Internet Explorer to request confirmation from the user before loading the control. - The Eyedog control is used by diagnostic software in Windows. It should not be marked "safe for scripting" because it allows registry information to be queried and computer characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack. The update prevents the control from loading within Internet Explorer. For additional security-related information about Microsoft products, please visit the following Microsoft Web site: http://www.microsoft.com/security Additional query words: ie ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.