Microsoft Security Bulletin (MS98-011) ---------------------------------------------------------------------------- Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4 Originally Posted: August 17, 1998 Last Revised: August 17, 1998 Summary Recently Microsoft was notified by Georgi Guninski and NTBugTraq of a security issue affecting the way Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 handles JScript scripts downloaded from web sites. Microsoft has produced a patch for this issue, which customers should download and apply as soon as possible. Issue Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate. Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long string. In order for users to be affected by this problem, they must visit a web site that was intentionally designed to include a malicious script. See the "Administrative Workaround" section below for more information. There have not been any reports of customers being affected by this problem. Affected Software Versions The following software is affected by this vulnerability: * Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95 and Windows NT 4.0 * Microsoft Windows 98 Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX (Solaris) are not affected by this problem. Internet Explorer 3.x is not affected by this problem. What Microsoft is Doing On August 17th Microsoft released a patch that fixes the problem as reported. This patch is available for download from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp. Microsoft has also made this patch available as a "Critical Update" for Windows 98 customers through the Windows Update. Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service (see http://www.microsoft.com/security/bulletin.htm for more information about this free customer service). Microsoft has published the following Knowledge Base (KB) article on this issue: * Microsoft Knowledge Base (KB) article Q191200, Update Available for JScript Security Issue http://support.microsoft.com/support/kb/articles/q191/2/00.asp In addition, Microsoft has notified CERT, an industry security organization, which redistributes security-related information to corporate, government and end-users. What customers should do Microsoft highly recommends that users of affected software versions, listed in the "Affected Software Versions" section above, should install the updated version of the Microsoft Scripting Engine 3.1, which contains a fix for this problem. This update can be downloaded from http://www.microsoft.com/msdownload/vbscript/scripting.asp. Windows 98 Users Windows 98 customers can also get the updated patch using the Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click "Product Updates." When prompted, select 'Yes' to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the "Critical Updates" section of the page. Localized versions of the patch are available from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp. Administrative workaround We strongly encourage customers to apply the patch. However, users who cannot apply the patch can use the Zones security feature in Internet Explorer to provide additional protection against this issue by disabling Active Scripting in the "Untrusted" and "Internet" Zones. This would still allow JScript to be run from trusted Internet sites, and on the local intranet. More Information Please see the following references for more information related to this issue. * Microsoft Security Bulletin MS98-011, Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4, (the Web posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-011.htm * Microsoft Knowledge Base (KB) article Q191200, Update for "Window.External" JScript Issue, http://support.microsoft.com/support/kb/articles/q191/2/00.asp * Microsoft Internet Explorer Security Bulletin, Update available for "Window.External" JScript security issue, http://www.microsoft.com/ie/security/jscript.htm * Windows Update Site, http://windowsupdate.microsoft.com * Microsoft Scripting Technologies web site, http://msdn.microsoft.com/scripting Revisions * Aug 17, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ---------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. © 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.