Microsoft Security Bulletin (MS98-011)
Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4
Originally Posted: August 17, 1998
Last Revised: August 17, 1998
Recently Microsoft was notified by Georgi Guninski and NTBugTraq (http://ntbugtraq.ntadvice.com) of a security issue affecting the way Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 handles JScript scripts downloaded from web sites.
Microsoft has produced a patch for this issue, which customers should download and apply as soon as possible.
Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate.
Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long string.
In order for users to be affected by this problem, they must visit a web site that was intentionally designed to include a malicious script. See the "Administrative Workaround" section below for more information.
There have not been any reports of customers being affected by this problem.
The following software is affected by this vulnerability:
Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX (Solaris) are not affected by this problem. Internet Explorer 3.x is not affected by this problem.
On August 17th Microsoft released a patch that fixes the problem as reported. This patch is available for download from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp.
Microsoft has also made this patch available as a "Critical Update" for Windows 98 customers through the Windows Update.
Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service (see http://www.microsoft.com/security for more information about this free customer service).
Microsoft has published the following Knowledge Base (KB) article on this issue:
In addition, Microsoft has notified CERT (http://www.cert.org), an industry security organization, which redistributes security-related information to corporate, government and end-users.
Microsoft highly recommends that users of affected software versions, listed in the "Affected Software Versions" section above, should install the updated version of the Microsoft Scripting Engine 3.1, which contains a fix for this problem. This update can be downloaded from http://www.microsoft.com/msdownload/vbscript/scripting.asp.
Windows 98 customers can also get the updated patch using the Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click "Product Updates." When prompted, select 'Yes' to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the "Critical Updates" section of the page.
Localized versions of the patch are available from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp.
We strongly encourage customers to apply the patch.
However, users who cannot apply the patch can use the
Zones security feature in Internet Explorer to provide
additional protection against this issue by disabling
To turn off Active Scripting for the "Internet" Zone:
These same procedures can be followed for the "Restricted Sites" Zone.
Please see the following references for more information related to this issue.
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
(c) 1998 Microsoft and/or its suppliers. All rights reserved.
You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to firstname.lastname@example.org The subject line and message body are not used in processing the request, and can be anything you like.
For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.