Security Updates

Windows 9X SIG

Microsoft Security Bulletin (MS98-011)

Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4

Originally Posted: August 17, 1998

Last Revised: August 17, 1998

Summary
Issue
Affected Software Versions
What Microsoft Is Doing
What Customers Should Do
Windows 98 Users
Administrative Workaround
More Information
Revisions

  Summary

Recently Microsoft was notified by Georgi Guninski and NTBugTraq (http://ntbugtraq.ntadvice.com) of a security issue affecting the way Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 handles JScript scripts downloaded from web sites.

Microsoft has produced a patch for this issue, which customers should download and apply as soon as possible.

Issue

Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate.

Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long string.

In order for users to be affected by this problem, they must visit a web site that was intentionally designed to include a malicious script. See the "Administrative Workaround" section below for more information.

There have not been any reports of customers being affected by this problem.

Affected Software Versions

The following software is affected by this vulnerability:

  • Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95 and Windows NT 4.0
  • Microsoft Windows 98

Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX (Solaris) are not affected by this problem. Internet Explorer 3.x is not affected by this problem.

What Microsoft is Doing

On August 17th Microsoft released a patch that fixes the problem as reported. This patch is available for download from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp.

Microsoft has also made this patch available as a "Critical Update" for Windows 98 customers through the Windows Update.

Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service (see http://www.microsoft.com/security for more information about this free customer service).

Microsoft has published the following Knowledge Base (KB) article on this issue:

In addition, Microsoft has notified CERT (http://www.cert.org), an industry security organization, which redistributes security-related information to corporate, government and end-users.

What customers should do

Microsoft highly recommends that users of affected software versions, listed in the "Affected Software Versions" section above, should install the updated version of the Microsoft Scripting Engine 3.1, which contains a fix for this problem. This update can be downloaded from http://www.microsoft.com/msdownload/vbscript/scripting.asp.

Windows 98 Users

Windows 98 customers can also get the updated patch using the Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click "Product Updates." When prompted, select 'Yes' to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the "Critical Updates" section of the page.

Localized versions of the patch are available from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp.

Administrative workaround

We strongly encourage customers to apply the patch. However, users who cannot apply the patch can use the Zones security feature in Internet Explorer to provide additional protection against this issue by disabling
Active Scripting in the "Internet" and "Restricted Sites" Zones. This would still allow JScript to be run from trusted Internet sites, and on the user's local intranet.

To turn off Active Scripting for the "Internet" Zone:

  1. From Internet Explorer, choose "Internet Options" from the "View" menu.
  2. Click on the tab labeled "Security".
  3. Click on "Internet Zone", then click "Customize Settings".
  4. Scroll to the bottom of the list and click on "Disable" under the "Active Scripting" setting.

These same procedures can be followed for the "Restricted Sites" Zone.

More Information

Please see the following references for more information related to this issue.

Revisions

  • Aug 17, 1998: Bulletin Created

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

(c) 1998 Microsoft and/or its suppliers. All rights reserved.

For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

You have received this e-mail bulletin as a result of your registration to the Microsoft  Product  Security  Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an  e-mail to microsoft_security-signoff-request@announce.microsoft.com The subject line and message body are not used in processing the request, and can be anything you like.

For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.