Kiosks.org Kiosk Newsbit


Microsoft Security Bulletin (MS98-013)

FROM:    Microsoft Product Security Response Team 
TO:      MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
DATE:    Fri, 4 Sep 1998 10:51:45 -0700

RE:      Microsoft Security Bulletin (MS98-013)

Microsoft Security Bulletin (MS98-013)
--------------------------------------------------------------------
Fix available for Internet Explorer Cross Frame Navigate Vulnerability


Originally Posted: September 4, 1998
Last Revised: September 4, 1998

Summary
=======
Microsoft has released a patch that fixes a recently discovered issue 
with the implementation of cross frame security in Microsoft Internet 
Explorer.  Customers using affected software listed below should download and 
apply these patches as soon as possible.

Issue
=====
The Cross Frame Navigate issue involves a vulnerability in Internet 
Explorer that could allow a malicious hacker to circumvent certain Internet 
Explorer security safeguards. This vulnerability makes it possible for a 
malicious Web site operator to read the contents of files on your computer.

While there have not been any reports of customers being adversely 
affected by these problems, Microsoft is releasing these patches to address the
implied risks posed by these issues.

Affected Software Versions
==========================
The following software is affected by this vulnerability:
 - Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on
   Windows NT 4.0, Windows 95
 - Microsoft Windows 98, with integrated Internet Explorer
   (version 4.01 SP1)
 - Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1
   and Windows NT 3.51
 - Microsoft Internet Explorer 4.0 and 4.01 for Macintosh
 - Microsoft Internet Explorer 3.x

This vulnerability could also affect software that uses HTML 
functionality provided by Internet Explorer. Anyone using such programs should 
download the patch even if they do not run Internet Explorer as their default
browser.

What Microsoft is Doing
=======================
On September 4th Microsoft released a patch that fixes the problem
identified. This patch is available for download from the sites listed
below.

Microsoft has sent this security bulletin to customers subscribing to 
the Microsoft Product Security Notification Service (see
http://www.microsoft.com/security/bulletin.htm for more information 
about this free customer service).

Microsoft has published the following Knowledge Base (KB) articles on 
this issue:
 - Microsoft Knowledge Base (KB) article Q168485, Fix
   available for Internet Explorer Cross Frame Navigate Vulnerability
   http://support.microsoft.com/support/kb/articles/q168/4/85.asp

What customers should do
========================
Microsoft highly recommends that users of affected software versions, 
listed in the "Affected Software Versions" section above, should download and
install the appropriate patch as soon as possible. Complete URLs for 
each affected software version is given below.

Internet Explorer 4
-------------------
Customers using versions of Internet Explorer listed in the "Affected
Products" section can obtain the patch from the Internet Explorer 
Security web site, http://www.microsoft.com/ie/security/xframe.htm

Windows 98
----------
Windows 98 customers can get the updated patch using the Windows 
Update. To obtain this patch using Windows Update, launch Windows Update from the
Windows Start Menu and click "Product Updates." When prompted, select 
'Yes' to allow Windows Update to determine whether this patch and other 
updates are needed by your computer. If your computer does need this patch, you 
will find it listed under the "Critical Updates" section of the page.

Internet Explorer 3 Users
-------------------------
Users of Internet Explorer 3 should first upgrade to the latest version 
of Internet Explorer 4 and then obtain the patch. Information on updating 
to Internet Explorer 4 can be found from the Internet Explorer download 
site http://www.microsoft.com/ie/download

Additional Details
==================
In addition to the product guidelines above, you can determine if you 
have an affected version of mshtml.dll by following these instructions.

In Windows 98, Windows 95, and Windows NT 4.0
---------------------------------------------
>From the Start Menu select Find and choose Files or Folders.
 1. In the Named box, type mshtml.dll.
 2. In the Look in box, click the down arrow and choose local
    hard drives from the list.
 3. Click Find Now.
 4. If mshtml.dll is not found, your system does not require
    the patch.
 5. If mshtml.dll is found, right-click the file, select
    Properties, and then select the Version tab.
 6. If the file version is less than 4.72.3509.0100, your system
    could be affected and we recommend that you download the
    patch. If the file version is greater than 4.72.3508.2400,
    your system does not need the patch.

In Windows 3.1x
---------------
 1. From the File Menu in File Manager, select Search.
 2. In the Search For box, type mshtml16.dll.
 3. In the Start From box, type your
    [drive]:\[windows directory]\SYSTEM
    (for example, C:\WINDOWS\SYSTEM).
 4. Click OK.
 5. If mshtml16.dll is not found, your system does not
    require the patch.
 6. If mshtml16.dll is found, click the file, press Alt-Enter,
    and then check the Version information.
 7. If the file version is equal to or less than 4.01.2509.0200,
    your system could be affected and we recommend that you
    download the patch. If the file version is greater than
    4.01.2509.0200, your system does not need the patch.

On a Macintosh
--------------
 1. In Internet Explorer, click the Apple icon and select About
    Internet Explorer.
 2. Look at the Internet Explorer version number in the bottom
    left corner of the dialog box.
 3. If the version is 4.01 (PowerPC) or 4.01 (68k), your system
    could be affected and we recommend that you download the patch
    for Internet Explorer 4.01.
 4. If the version is 4.0, your system could be affected and we
    recommend that you download Internet Explorer 4.01 and return
    to this page to download the patch.
 5. If the version is 4.01 (310), you already have the patch and
    do not need to download it again.

More Information
================
Please see the following references for more information related to 
this
issue:
 - Microsoft Security Bulletin MS98-013, Fix available for
   Internet Explorer Cross Frame Navigate Vulnerability,
   (the Web posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-013.htm
 - Internet Explorer Security Web site, Fix available for
   Internet Explorer Cross Frame Navigate Vulnerability,
   http://www.microsoft.com/ie/security/xframe.htm
 - Microsoft Knowledge Base (KB) article Q168485, Fix available
   for Internet Explorer Cross Frame Navigate Vulnerability
   http://support.microsoft.com/support/kb/articles/q168/4/85.asp

Acknowledgements
================
Microsoft wishes to acknowledge the contributions of Georgi Guninski for originally reporting this problem.

Revisions
=========
 - September 4, 1998: Bulletin Created

For additional security-related information about Microsoft products, 
please visit http://www.microsoft.com/security

--------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, 
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND 
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR 
ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, 
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, 
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.


(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your 
registration to  the   Microsoft  Product  Security  Notification   Service.  You  
may unsubscribe from this e-mail notification  service at any time by 
sending an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the 
request, and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  
Service please    visit    http://www.microsoft.com/security/bulletin.htm.    
For security-related information  about Microsoft products, please  visit 
the Microsoft Security Advisor web site at http://www.microsoft.com/security.




Thanks Kinetic!

© 1998 Kiosks.Org.
All Rights Reserved.

-->
> >