Microsoft Security Bulletin (MS99-050): Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to view files on the computer of a visiting user, under certain circumstances. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could allow a malicious web site operator to view files on the computer of visiting user. The malicious web site operator would need to know the name and location of the file on the user's computer, and could only view files that can be opened in a browser window.
The ability of a malicious web site operator to exploit this vulnerability depends somewhat on timing-the vulnerability is only present if particular actions happen within a fairly narrow window of time. However, this would impede but not prevent a malicious user from exploiting the vulnerability. Most of the factors involved in the timing are under the web host's control, and a determined user could eventually make the needed adjustments to exploit the vulnerability.
Finally, the vulnerability requires Active Scripting in order to succeed. If the malicious site were in a Security Zone that does not allow Active Scripting, the vulnerability could not be exploited.
What causes the vulnerability?
The vulnerability exists because of a problem in the way IE handles server-side redirects. If a web server opens a window on the browser, IE will perform a number of checks to ensure that the server can only view permissible data in the window. However, if the server redirects from a window containing data it's allowed to view, to one containing data it is not allowed to view, these checks can be bypassed if the timing of the redirect is just right.
What is a server-side redirect?
Redirects provide a way to transition the browser from one point on a web site to another. Redirects are most commonly used to translate references to outdated web pages to new, updated ones. They can be instigated either by the browser, in which case they are referred to as client-side redirect, or by the server, in which case they are referred to as server-side redirects.
In the case of this vulnerability, a server-side redirect transitions from a window on a web page to a file on the user's local drive. This is an allowable action. The vulnerability results because, in the course of performing the redirect, it is possible for the proper security checks to be missed.
What kinds of files could be viewed via this vulnerability?
Only files that can be opened in a browser window. Examples are .txt, .htm or .js files. Examples of file types that cannot be opened in a browser window include .doc, .dat, .exe and other file types.
How is this vulnerability different from the Javascript Redirect vulnerability?
The two vulnerabilities have some similarities. Both involve using redirects to bypass security restrictions, and the effect of both is to allow files on a visiting user's computer to be read. However, the similarities end there. The underlying problem in the Javascript Redirect vulnerability is a fairly straightforward implementation error, where the underlying problem here is much more complex, and depends on the timing with which various components interact with each other.
How likely am I to be affected by this vulnerability?
It depends on your web browsing habits. The key thing to remember is that you have to visit a malicious web site in order to be affected by it. Most people visit a small number of familiar, professionally-operated web sites, and it's unlikely that such a site would pose any risk. Users who surf lots of unknown web sites would be at greater risk. However, Security Zones provide a great way to manage your risk, and we recommend that customers use them.
What does the patch do?
The patch eliminates the timing window that allows the vulnerability to occur, and causes the security restrictions in IE to be enforced even after a server-side redirect.
Does the patch do anything else?
Yes. This patch includes the previously-released patch for the "ImportExportFavorites" vulnerability. If you have not installed the patch for the "ImportExportFavorites" vulnerability yet, you only need to install this patch to eliminate both vulnerabilities.
If I previously installed the "ImportExportFavorites" patch, do I need to install this one?
Yes. The two vulnerabilities are entirely different. We simply combined the patches so that customers who hadn't applied either would only need a single patch.
If I install IE 5.01, do I need to install the patch?
Yes. This vulnerability was identified too late to be included in IE 5.01. If you upgrade to IE 5.01, you will need to install the patch.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I verify that I installed the patch correctly?
Knowledge Base article 246094 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
How can I use Internet Zones to manage my security?
The Internet Zones feature of IE allows you to sort the web sites you visit into categories based on how much you trust them. We recommend putting the sites that you visit frequently and trust into the Trusted Zone. All other sites will reside in the Internet Zone, and you can restrict what these sites can do simply by changing the security settings on this zone.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
