Microsoft Security Bulletin MS98-011
Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4.0
Originally Posted: August 17, 1998
Last Revised: August 17, 1998
Recently Microsoft was notified by Georgi Guninski and NTBugTraq of a security issue affecting the way Microsoft® Internet Explorer 4.0, 4.01, and 4.01 SP1 handle JScript scripts downloaded from web sites.
Microsoft has produced a patch for this issue, which customers should download and apply as soon as possible.
Microsoft Internet Explorer 4.0, 4.01, and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a Web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate.
Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long string.
In order for users to be affected by this problem, they must visit a Web site that was intentionally designed to include a malicious script. See the "Administrative Workaround" section later in the document for more information.
There have not been any reports of customers being affected by this problem.
Affected Software Versions
The following software is affected by this vulnerability:
Vulnerability Identifier: CVE-1999-1093
- Microsoft Internet Explorer 4.0, 4.01, and 4.01 SP1 on Windows® 95 and Windows NT® 4.0 operating systems
- Microsoft Windows 98
Internet Explorer 4.0 for Windows 3.1, Windows NT 3.51, Macintosh, and UNIX (Solaris) are not affected by this problem. Internet Explorer 3.x is not affected by this problem.
What Microsoft Is Doing
On August 17th, Microsoft released a patch that fixes the problem as reported. Contact Microsoft Product Support.
Microsoft has also made this patch available as a Critical Update for Windows 98 customers through the Windows Update.
Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.
Microsoft has published the following Knowledge Base (KB) article on this issue:
- Microsoft Knowledge Base article 191200, Update Available for JScript Security Issue http://support.microsoft.com/default.aspx?scid=kb;en-us;191200&sd=tech
In addition, Microsoft has notified CERT, an industry security organization, which redistributes security-related information to corporate, government, and end users.
What customers Should Do
Microsoft highly recommends that users of affected software versions, listed in the preceding "Affected Software Versions" section, should install the updated version of the Microsoft Scripting Engine 3.1, which contains a fix for this problem. This update can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=c717d943-7e4b-4622-86eb-95a22b832caa&DisplayLang=en.
Windows 98 Users
Windows 98 customers can also get the updated patch by using the Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click Product Updates. When prompted, select Yes to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the Critical Updates section of the page.
Localized versions of the patch are available from the Microsoft Scripting Technologies Web site, http://www.microsoft.com/downloads/details.aspx?FamilyID=c717d943-7e4b-4622-86eb-95a22b832caa&DisplayLang=en.
We strongly encourage customers to apply the patch. However, users who cannot apply the patch can use the Zones security feature in Internet Explorer to provide additional protection against this issue by disabling Active Scripting in the Untrusted and Internet Zones. This would still allow JScript to be run from trusted Internet sites, and on the local intranet.
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin MS98-011, Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4, (the Web-posted version of this bulletin), http://www.microsoft.com/technet/security/bulletin/ms98-011.mspx
- Microsoft Knowledge Base article 191200, Update for "Window.External" JScript Issue, http://support.microsoft.com/default.aspx?scid=kb;en-us;191200&sd=tech
- Microsoft Internet Explorer Security Bulletin, Update available for "Window.External" JScript security issue, http://www.microsoft.com/technet/archive/ie/downloads/scr31.mspx
- Windows Update Site, http://windowsupdate.microsoft.com
- Microsoft Scripting Technologies Web site, http://msdn.microsoft.com/en-us/library/ms950396.aspx
- August 17, 1998: Bulletin Created
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.