[ISN] Microsoft Security Bulletin (MS98-011)

From: mea culpa (jerichoat_private)
Date: Tue Aug 18 1998 - 13:43:03 PDT

  • Next message: mea culpa: "[ISN] Teen cracks Netscape browser filter"

    Forwarded From: Microsoft Product Security Response Team <secureat_private>
    
    Microsoft Security Bulletin (MS98-011)
    ------------------------------------------------------------------------
    Update available for "Window.External" JScript Vulnerability
    in Microsoft Internet Explorer 4
    
    
    Originally Posted: August 17, 1998
    Last Revised: August 17, 1998
    
    Summary
    =======
    Recently Microsoft was notified by Georgi Guninski and NTBugTraq
    (http://ntbugtraq.ntadvice.com) of a security issue affecting the way
    Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 handles JScript scripts
    downloaded from web sites.
    
    Microsoft has produced a patch for this issue, which customers should
    download and apply as soon as possible.
    
    Issue
    =====
    Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 use the JScript Scripting
    Engine version 3.1 to process scripts on a web page. When Internet Explorer
    encounters a web page that uses JScript script to invoke the Window.External
    function with a very long string, Internet Explorer could terminate.
    
    Long strings do not normally occur in scripts and must be intentionally
    created by someone with malicious intent. A skilled hacker could use this
    malicious script message to run arbitrary computer code contained in the
    long string.
    
    In order for users to be affected by this problem, they must visit a web
    site that was intentionally designed to include a malicious script. See the
    "Administrative Workaround" section below for more information.
    
    There have not been any reports of customers being affected by this problem.
    
    
    Affected Software Versions
    ==========================
    The following software is affected by this vulnerability:
     - Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95
       and Windows NT 4.0
     - Microsoft Windows 98
    
    Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX
    (Solaris) are not affected by this problem. Internet Explorer 3.x is not
    affected by this problem.
    
    What Microsoft is Doing
    =======================
    On August 17th Microsoft released a patch that fixes the problem as
    reported. This patch is available for download from the Microsoft Scripting
    Technologies web site,
    http://www.microsoft.com/msdownload/vbscript/scripting.asp.
    
    Microsoft has also made this patch available as a "Critical Update" for
    Windows 98 customers through the Windows Update.
    
    Microsoft has sent this security bulletin to customers subscribing to the
    Microsoft Product Security Notification Service (see
    http://www.microsoft.com/security/bulletin.htm for more information about
    this free customer service).
    
    Microsoft has published the following Knowledge Base (KB) article on this
    issue:
     - Microsoft Knowledge Base (KB) article Q191200, Update Available
       for JScript Security Issue,
       http://support.microsoft.com/support/kb/articles/q191/2/00.asp
    
    In addition, Microsoft has notified CERT (http://www.cert.org), an industry
    security organization, which redistributes security-related information to
    corporate, government and end-users.
    
    What customers should do
    ========================
    Microsoft highly recommends that users of affected software versions, listed
    in the "Affected Software Versions" section above, should install the
    updated version of the Microsoft Scripting Engine 3.1, which contains a fix
    for this problem. This update can be downloaded from
    http://www.microsoft.com/msdownload/vbscript/scripting.asp.
    
    Windows 98 Users
    ----------------
    Windows 98 customers can also get the updated patch using the Windows
    Update. To obtain this patch using Windows Update, launch Windows Update
    from the Windows Start Menu and click "Product Updates." When prompted,
    select 'Yes' to allow Windows Update to determine whether this patch and
    other updates are needed by your computer. If your computer does need this
    patch, you will find it listed under the "Critical Updates" section of the
    page.
    
    Localized versions of the patch are available from the Microsoft Scripting
    Technologies web site,
    http://www.microsoft.com/msdownload/vbscript/scripting.asp.
    
    Administrative workaround
    =========================
    We strongly encourage customers to apply the patch. However, users who
    cannot apply the patch can use the Zones security feature in Internet
    Explorer to provide additional protection against this issue by disabling
    Active Scripting in the "Internet" and "Restricted Sites" Zones. This would
    still allow JScript to be run from trusted Internet sites, and on the user's
    local intranet.
    
    To turn off Active Scripting for the "Internet" Zone:
     1. From Internet Explorer, choose "Internet Options" from the "View" menu.
     2. Click on the tab labeled "Security".
     3. Click on "Internet Zone", then click "Customize Settings".
     4. Scroll to the bottom of the list and click on "Disable" under the
        "Active Scripting" setting.
    
    These same procedures can be followed for the "Restricted Sites" Zone.
    
    More Information
    ================
    Please see the following references for more information related to this
    issue.
     - Microsoft Security Bulletin MS98-011, Update available for
       "Window.External" JScript Vulnerability in Microsoft Internet
       Explorer 4,(the Web posted version of this bulletin),
       http://www.microsoft.com/security/bulletins/ms98-011.htm
     - Microsoft Knowledge Base (KB) article Q191200, Update for
       "Window.External" JScript Issue,
       http://support.microsoft.com/support/kb/articles/q191/2/00.asp
     - Microsoft Internet Explorer Security Bulletin, Update available for
       "Window.External" JScript security issue,
       http://www.microsoft.com/ie/security/jscript.htm
     - Windows Update Site, http://windowsupdate.microsoft.com
     - Microsoft Scripting Technologies web site,
       http://msdn.microsoft.com/scripting
    
    Revisions
    =========
     - Aug 17, 1998: Bulletin Created
    
    For additional security-related information about Microsoft products, please
    visit http://www.microsoft.com/security
    
    ------------------------------------------------------------------------
    
    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
    WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
    EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
    FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
    SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
    INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
    IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
    LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
    FOREGOING LIMITATION MAY NOT APPLY.
    
    
    (c) 1998 Microsoft and/or its suppliers. All rights reserved.
    For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.
    
              =====================================================
    You have received  this e-mail bulletin as a result  of your registration
    to  the   Microsoft  Product  Security  Notification   Service.  You  may
    unsubscribe from this e-mail notification  service at any time by sending
    an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private
    The subject line and message body are not used in processing the request,
    and can be anything you like.
    
    For  more  information on  the  Microsoft  Security Notification  Service
    please    visit    http://www.microsoft.com/security/bulletin.htm.    For
    security-related information  about Microsoft products, please  visit the
    Microsoft Security Advisor web site at http://www.microsoft.com/security.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:24 PDT