Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Microsoft Security Bulletin MS99-032 - Critical

Patch Available for "scriptlet.typelib/Eyedog" Vulnerability

Published: August 31, 1999 | Updated: March 21, 2003

Version: 2.0

Patch Availability Information Updated: March 21, 2003
Revised: October 12, 1999
Revised: September 02, 1999
Originally Posted: August 31, 1999

Summary

Microsoft has released a patch that eliminates security vulnerabilities in two ActiveX controls. The net effect of the vulnerabilities is that a web page could take unauthorized action against a person who visited it. Specifically, the web page would be able to do anything on the computer that the user could do.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-032.mspx

Issue

This issue involves two ActiveX controls, scriptlet.typelib and Eyedog. These controls are not in any way related to each other; their only relationship is that both are incorrectly marked as "safe for scripting" and can therefore be called from Internet Explorer.

scriptlet.typelib is a control used by developers to generate Type Libraries for Windows Script Components. It is marked as "safe for scripting", but should not be because it allows local files to be created or modified. The patch removes the "safe for scripting" marking, thereby causing IE to request confirmation from the user before loading the control.

Eyedog is a control used by diagnostic software in Windows. It is marked as "safe for scripting", but should not be because it allows registry information to be queried and machine characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack. The patch sets the so-called "kill bit", which prevents it from loading within IE.

Affected Software Versions

  • Microsoft Internet Explorer 4.0 and 5.0

Vulnerability Identifiers

Patch Availability

The patch is available at the following locations:

The patch is also available at the following alternative locations:

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.

Acknowledgments

Microsoft acknowledges Georgi Guninski, independent consultant, for reporting the "scriptlet.typelib" vulnerability to us, and Shane Hird of Australia, Adrian O'Neill and Richard Smith for reporting the "Eyedog" vulnerability to us.

Revisions

  • August 31, 1999: Bulletin Created.
  • September 02, 1999: Provided direct link to patch file for Windows 95 and 98 users.
  • October 12, 1999: Updated to provide information on availability of patch via WindowsUpdate.
  • V2.0 (March 21, 2003): Introduced versioning and updated patch availability information.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-16T02:39:51Z-07:00

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.