Microsoft Security Bulletin (MS00-009): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-009 announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to view files on the computer of a visiting user, under certain circumstances. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could allow a malicious web site operator to view files on the computer of visiting user. The malicious web site operator would need to know the name and location of the file on the user's computer, and could only view files that can be opened in a browser window.
The ability of a malicious web site operator to exploit this vulnerability depends somewhat on timing-the vulnerability is only present if particular actions happen within a fairly narrow window of time. However, this would impede but not prevent a malicious user from exploiting the vulnerability. Most of the factors involved in the timing are under the web host's control, and a determined user could eventually make the needed adjustments to exploit the vulnerability.
Finally, the vulnerability requires Active Scripting in order to succeed. If the malicious site were in a Security Zone that does not allow Active Scripting, the vulnerability could not be exploited.
What causes the vulnerability?
The vulnerability exists because it is possible, under very specific conditions, to violate IE's cross-domain security model in order to allow a web site to read data that it should be prevented from reading.
What is meant by "IE's cross-domain security model"?
One of the principal security functions of a browser is to ensure that browser windows that are under the control of different web sites cannot interfere with each other or access each other's data, while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a "domain" has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The "cross-domain security model" is the part of the security architecture that keeps windows from different domains from interfering with each other.
The simplest example of a domain is associated with web sites. If you visit www.microsoft.com, and it opens a window to www.microsoft.com/security, the two windows can interact with each because both belong to the same domain, www.microsoft.com. However, if you visited www.microsoft.com, and it opened a window to a different web site, the cross-domain security model would protect the two windows from each other. The concept goes even farther. The file system on your local computer, for instance, is also a domain. So, for instance, www.microsoft.com could open a window and show you a file on your hard drive. However, because your local file system is in a different domain from the web site, the cross-domain security model should prevent the web site from reading the file that is being displayed.
What happens in this vulnerability?
In this vulnerability, a malicious web site opens a window to the file system on the visiting user's computer, and displays a file there. It then navigates to a new window in its own domain - this navigation is also known as a redirect. Both of these actions are allowed. However, the specific method through which the redirect is made, via the <IMG SRC> HTML tag, provides a brief window during which the new window hasn't been categorized into its new domain, and can still access data in the old window. This would allow the web site to retrieve the contents of the file that was displayed.
What kinds of files could be viewed via this vulnerability?
Only files that can be opened in a browser window. Examples are .txt, .htm or .js files. Examples of file types that cannot be opened in a browser window include .doc, .dat, .exe and other file types.
What is the <IMG SRC> HTML tag?
Tags in HTML specify formatting commands. The <IMG SRC> tag specifies the source of an image that's to be displayed in the browser window. However, in this vulnerability, the <IMG SRC> tag is not being used in its usual fashion, and the specific way in which it being used is what causes the vulnerability.
How likely am I to be affected by this vulnerability?
It depends on your web browsing habits. The key thing to remember is that you have to visit a malicious web site in order to be affected by it. Most people visit a small number of familiar, professionally-operated web sites, and it's unlikely that such a site would pose any risk. Users who surf lots of unknown web sites would be at greater risk. However, Security Zones provide a great way to manage your risk, and we recommend that customers use them.
Could this vulnerability be exploited accidentally?
No. The steps that a web site would need to take in order to exploit this vulnerability are extremely unlikely to be useful for any purpose except exploiting this vulnerability
What does the patch do?
The patch restores the IE cross-domain security model to its designed operation, and prevents the <IMG SRC> tag from making it possible to violate it.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
Use the following table to verify that you installed the patch correctly.
| If you are running on this platform... | Using this operating system... | And using this version of IE... | You've installed the patch correctly if MSHTML.DLL has these properties... |
Intel | Windows NT | IE 4.01 sp2 | Date: January 28, 2000 |
Intel | Windows 95 or 98 | IE 4.01 sp2 | Date: January 28, 2000 |
Intel | Windows NT, Windows 95 or 98 | IE 5.01 | Date: January 26, 2000 |
Alpha | Windows NT | IE 4.01 sp2 | Date: January 28, 2000 |
How can I use Internet Zones to manage my security?
The Internet Zones feature of IE allows you to sort the web sites you visit into categories based on how much you trust them. We recommend putting the sites that you visit frequently and trust into the Trusted Zone. All other sites will reside in the Internet Zone, and you can restrict what these sites can do simply by changing the security settings on this zone.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. The link will be posted here as soon as it becomes available. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
