IE Cross Frame Navigation Vulnerability

Internet Explorer Cross Frame Navigate Vulnerability
Reported September 4, 1998 by Georgi Guninski and Microsoft

VERSIONS AFFECTED

  • Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95
  • Microsoft Windows 98, with integrated Internet Explorer (version 4.01 SP1)
  • Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1and Windows NT 3.51
  • Microsoft Internet Explorer 4.0 and 4.01 for Macintosh
  • Microsoft Internet Explorer 3.x

DESCRIPTION

Microsoft has released a patch that fixes a recently discovered issue with the implementation of cross frame security in Microsoft Internet Explorer. Customers using affected software listed below should download and apply these patches as soon as possible.

The Cross Frame Navigate issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of files on your computer. While there have not been any reports of Microsoft customers being adversely affected by these problems, Microsoft is releasing these patches to address the implied risks posed by these issues.

SOLUTION

On September 4th Microsoft released a patch that fixes the problem identified. This patch is available for download from the sites listed below.

Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service (see http://www.microsoft.com/security/bulletin.htm for more information about this free customer service).

Microsoft has published the following Knowledge Base (KB) articles on this issue:

Microsoft Knowledge Base (KB) article Q168485, Fix available for Internet Explorer Cross Frame Navigate Vulnerability http://support.microsoft.com/support/kb/articles/q168/4/85.asp

What Microsoft customers should do

Microsoft highly recommends that users of affected software versions, listed in the "Affected Software Versions" section above, should download and install the appropriate patch as soon as possible. Complete URLs for each affected software version is given below.

Internet Explorer 4

Microsoft customers using versions of Internet Explorer listed in the "Affected Products" section can obtain the patch from the Internet Explorer Security web site, http://www.microsoft.com/ie/security/xframe.htm

Windows 98

Windows 98 customers can get the updated patch using the Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click "Product Updates." When prompted, select "Yes" to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the "Critical Updates" section of the page.

Internet Explorer 3 Users

Users of Internet Explorer 3 should first upgrade to the latest version of Internet Explorer 4 and then obtain the patch. Information on updating to Internet Explorer 4 can be found from the Internet Explorer download site http://www.microsoft.com/ie/download

Additional Details

In addition to the product guidelines above, you can determine if you have an affected version of mshtml.dll by following these instructions.

In Windows 98, Windows 95, and Windows NT 4.0

>From the Start Menu select Find and choose Files or Folders.
1. In the Named box, type mshtml.dll.
2. In the Look in box, click the down arrow and choose local hard drives from the list.
3. Click Find Now.
4. If mshtml.dll is not found, your system does not require the patch.
5. If mshtml.dll is found, right-click the file, select Properties, and then select the Version tab.
6. If the file version is less than 4.72.3509.0100, your system could be affected and we recommend that you download the patch. If the file version is greater than 4.72.3508.2400, your system does not need the patch.

In Windows 3.1x

1. From the File Menu in File Manager, select Search.
2. In the Search For box, type mshtml16.dll.
3. In the Start From box, type your

\[drive\]:\\[windows directory\]\SYSTEM

(for example, C:\WINDOWS\SYSTEM).

4. Click OK.
5. If mshtml16.dll is not found, your system does not require the patch.
6. If mshtml16.dll is found, click the file, press Alt-Enter, and then check the Version information.

7. If the file version is equal to or less than 4.01.2509.0200, your system could be affected and we recommend that you download the patch. If the file version is greater than 4.01.2509.0200, your system does not need the patch.

On a Macintosh

1. In Internet Explorer, click the Apple icon and select About Internet Explorer.
2. Look at the Internet Explorer version number in the bottom left corner of the dialog box.
3. If the version is 4.01 (PowerPC) or 4.01 (68k), your system could be affected and we recommend that you download the patch for Internet Explorer 4.01.
4. If the version is 4.0, your system could be affected and we recommend that you download Internet Explorer 4.01 and return to this page to download the patch.
5. If the version is 4.01 (310), you already have the patch and do not need to download it again.

More Information

Please see the following references for more information related to this issue:

Microsoft Security Bulletin MS98-013, Fix available for Internet Explorer Cross Frame Navigate Vulnerability, (the Web posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-013.htm

Internet Explorer Security Web site, Fix available for Internet Explorer Cross Frame Navigate Vulnerability, http://www.microsoft.com/ie/security/xframe.htm

Microsoft Knowledge Base (KB) article Q168485, Fix available for Internet Explorer Cross Frame Navigate Vulnerability http://support.microsoft.com/support/kb/articles/q168/4/85.asp

Acknowledgements

Microsoft wishes to acknowledge the contributions of Georgi Guninski for originally reporting this problem.

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by Georgio Guninski and Microsoft
- Posted on The NT Shop on September 4, 1998
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish