Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-040)
What's this bulletin about?
Microsoft Security Bulletin MS99-040 was originally released on September 28, 1999, to provide a workaround for a security vulnerability involving Microsoft® Internet Explorer 5, and has been updated to announce the availability of a patch that completely eliminates it. The vulnerability could allow a web site to read a file on the computer of a user who visited it. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could allow a malicious web site operator to read files on the computer of a user who visited it or on other computers on that user's local Intranet. It would not allow files to be created, deleted or modified.
What is the vulnerability?
This vulnerability lies in the implementation of a feature in IE 5 called "Download Behavior". This feature allows web pages to download files for use in client-side script. By design, these files must reside on the same domain as the web server providing the pages. This restriction prevents client-side script from accessing files from the client PC or the local intranet to the web page.
A malicious web site operator could use a server-side redirect to bypass the domain restriction. This would allow the web site to copy files from the user's machine or the user's local Intranet to the web server and read them.
What is client-side script?
A script is a program, usually one written in a language like Visual Basic or Javascript. Some software is designed to run on the server, while other software is designed to be run by the web browser, also known as a web client. Client-side script is just software designed to be run by the browser.
What is a server-side redirect?
A server-side redirect is a mechanism that is normally used by webmasters to navigate web browsers to different pages, similar to a "meta refresh". In the case of this exploit, the server-side redirect tricks the download behavior, causing it to download a page from a domain different from that of the web page. If a malicious web site operator knew or could guess the name of a file and its location, it would be possible for the web site operator to read the file from the user's computer or the Intranet to which it was connected.
How does the patch eliminate the vulnerability?
The patch restores the by-design operation of the download behaviors feature, and only allows client-side script to be downloaded from the same domain as the web server.
Where can I get the patch?
The download location for the patch is provided in the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 242542 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
I previously disabled Active Scripting as a workaround. How do I re-enable it?
Just follow these instructions:
| • | In IE, select Tools | Internet Options, then click on the Security tab. |
| • | Select the Internet Zone, then click on the "Custom Level" button. |
| • | Under "Scripting", find the entry labeled "Active Scripting" and set it to "Enable." |
| • | Click OK twice to return to IE. |
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and what they can do about it. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
