Microsoft Security Bulletin (MS99-043):Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read files on the computer of a visiting user. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could allow a malicious web site operator to read files on a visiting user's computer, but only if he or she already knew the name of the file and the folder in which it resides. Even then, the malicious user could not add, delete or change files on the user's computer, nor could he or she cause any other action to be taken on the computer. Finally, the vulnerability would only allow the user to view file types that can be opened in a browser window.
The vulnerability only exists if Active Scripting is enabled in the Security Zone that the web site resides in. For example, if a user had disabled Active Scripting in the Internet Zone, a site in this zone would be unable to take any action against the user even if he or she visited the site. More information on how to use Security Zones is provided below.
What is the vulnerability?
This vulnerability involves a method of bypassing the restrictions on the data that a web server can read. Specifically, it allows a web server to violate cross-domain restrictions via a redirect to a Javascript applet.
What are cross-domain restrictions?
Cross-domain restrictions are designed to separate that data that belongs to the server and the client. The first thing to understand is the "domains" we're discussing here are not Internet domains, like Microsoft.com; the term as used here just refers to places with different owners, like the web server and your computer. The idea behind cross-domain restrictions is that data that resides on one domain-like your computer-should not be accessible to another domain-like the server-unless the owner has agreed.
The specific restriction involved here is the ability of a web server to view data in another domain. A web server sometimes will have a bona fide need to cause IE to display data that resides on your computer. For instance, if you're visiting an e-commerce site, the server needs to be able to direct IE to display an order form with all of the current data. However, the web server should not be able to view the data until you submit the form. Cross-domain restrictions are designed to enforce this separation of data.
This vulnerability involves a way for the server to bypass cross-domain restrictions via a redirect to a Javascript applet in order to view a file that resides on your computer. It could not change files, delete them or modify them, and could only display files whose names and folders were known.
What is a redirect?
Redirects provide a way to keep references to web sites up to date. For example, suppose that Microsoft were to change http://www.microsoft.com/xyz to http://xyz.microsoft.com/. There could be a lot of sites that already point to the original URL, and rather than letting all of these references return a "Page not found" error, the Microsoft web servers could be programmed with redirects that translate requests for the former URL into the latter. If a customer entered http://www.microsoft.com/xyz in IE, he or she would be transparently redirected to http://xyz.microsoft.com instead.
However, redirects can be used to do more than transition the browser from one web page to another. In the case of this vulnerability, a redirect is used to transition the browser from a web page on the user's computer to a script that executes on that web page. Because both the data and the script would be executing on the user's computer, the script would be free to read the data. It would then be able to send the data back to the server by any of several mechanisms.
What kinds of files could be viewed via this vulnerability?
Only files that can be opened in a browser window. Examples are .txt, .htm or .js files. Examples of file types that cannot be opened in a browser window include .doc, .dat, .exe and other file types.
What versions of IE are affected?
The vulnerability affects IE 4.01 and IE 5.
What does the patch do?
The patch ensures that domain information is retained even when redirects occur.
How likely am I to be affected by this vulnerability?
It depends on your web browsing habits. The key thing to remember is that you have to visit a malicious web site in order to be affected by it. So, for instance, if you're using IE on a corporate intranet that's well-regulated, it's very unlikely that any of the sites would attempt to exploit this vulnerability. Even on the Internet, most people visit a small number of familiar, professionally-operated web sites. If you fall into this category, it's unlikely that you would be affected by this vulnerability. Users who surf lots of unknown web sites would be at greater risk. However, Security Zones provide a great way to manage your risk, and we recommend that customers use them.
Once I've installed the patch, can I re-enable Active Scripting in the Internet Zone?
Yes. However, we recommend that you continue to use the Security Zones features of IE to manage the actions you let web sites take, as discussed below. Here's how to re-enable Active Scripting in the Internet Zone:
| • | Select "Tools," then "Internet Options." Click the "Security" tab. |
| • | In the box labeled "Select a Web content zone to specify its current security settings," click "Internet," then click "Custom level." |
| • | Scroll down until you see a major heading labeled "Scripting," then find the minor heading marked "Active Scripting." Click the "enabled" button under "Active Scripting." |
| • | Click on OK twice to accept the changes and return to IE. |
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
I have IE 4.01, but when I tried to install the patch, it said that I didn't need it. What happened?
The patch requires IE 4.01 SP2 in order to install. If you received this message, you have IE 4.01 SP1. Contrary to the message, IE 4.01 SP1 does need the patch; however, you will need to first install IE 4.01 SP2, then install the patch. You can download IE 4.01 SP2 at http://www.microsoft.com/windows/downloads/ie/getitnow.mspx.
How can I verify that I installed the patch correctly?
Knowledge Base article 244356 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
Once I've applied that patch, can I re-enable Active Scripting in the Internet Zone?
Yes. However, Security Zones provide a great way to manage your security, and we recommend that customers use them. It's always a good idea to restrict what kinds of actions untrusted sites can take, and to grant more capabilities to sites that you trust.
What are Security Zones?
Security zones are an important security tool. They let you group web sites based on how much you trust them. Once you've done this, you can give more freedom to trusted sites, and impose restrictions on untrusted ones. This lets you get the best of both worlds - a great web experience on sites that you trust, and tight security on ones that you don't.
How do Security Zones work?
IE enables you to categorize web sites into four different "zones".
| • | The Internet Zone-All Internet web sites are categorized here by default. |
| • | The Local Intranet Zone-All web sites that are local to your organization are categorized here by default. |
| • | The Trusted Zone-This zone contains all sites you have explicitly said you trust not to take malicious action. |
| • | The Restricted Zone-This zone contains all the sites you have explicitly said you do not trust. |
Each zone has its own set of allowed and disallowed actions, and you can customize them as you like. For instance, you could configure the Internet Zone so that ActiveX controls could only be run if they've been digitally signed by someone you trust. Likewise, you could configure the Trusted Zone so that sites there could use any ActiveX controls, whether signed or not.
As a workaround for this issue, Microsoft recommends that add sites that you trust to the Trusted Zone, and then disable Active Scripting in the Internet Zone. This will allow you to continue using trusted web sites exactly as you do today, while tightening the restrictions on untrusted sites. When the patch is available, you'll be able to re-enable Active Scripting in the Internet Zone.
How do I add sites to the Trusted Zone?
Just follow these steps:
| • | Select "Tools," then "Internet Options." Click the "Security" tab. |
| • | In the box labeled "Select a Web content zone to specify its current security settings," click "Trusted Sites," then click "Sites." |
| • | If you want to add sites that don't require a secure connection, de-select the checkbox at the bottom that says "Require server verification (https:) for all sites in this zone." |
| • | In the box labeled "Add this Web Site to the zone:," type the URL of a site that you trust, then click the "Add" button. Repeat for each site that you want to add to the zone. |
| • | Click on OK twice to accept the changes and return to IE. |
What sites should I add to the Trusted Zone?
Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is http://windowsupdate.microsoft.com. This is the site that will host the patch when it's available, and it requires Active Scripting in order to install the patch.
Isn't it a lot of work to manage Security Zones?
Not really. Most users have a core group of web sites that they visit frequently. If you trust these sites, just add them to the Trusted Zone. All other sites are automatically included in the Internet Zone, so you can restrict what they can do by changing the Internet Zone configuration settings.
Should I just disable everything in the Internet Zone?
There's generally a trade-off between ease-of-use and security; by selecting a high-security configuration, you could make it extremely unlikely that a malicious web site could take action against you, but at the cost of missing a lot of rich functionality. The appropriate balance between security and ease-of-use is different for everyone, and you should pick a configuration that fits your needs. The good news is that it's easy to change your configuration, and you can try different configurations until you find the right one for you.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
Where can I learn more about best practices for security?
The Microsoft Security Advisor web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
