Microsoft Security Bulletin (MS00-093)
Patch Available for "Browser Print Template" and "File Upload via Form" Vulnerabilities
Originally posted: December 01, 2000
Microsoft has released a patch that eliminates four security vulnerabilities in Microsoft® Internet Explorer:
The “Browser Print Template” vulnerability, which could enable a malicious web site operator to take unauthorized actions on the computer of a user who visited her site.
The “File Upload via Form” vulnerability, which could enable a malicious web site operator to read files on a visiting user’s computer.
New variants of the “Scriptlet Rendering” and “Frame Domain Verification” vulnerabilities, both of which could enable a malicious web site operator to read files on a visiting user’s computer.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-093.asp
The three security vulnerabilities eliminated by this patch are unrelated to each other except by the fact that they all occur in the same .dll. We have packaged the fix for all three issues together in one updated .dll together for customer convenience. The vulnerabilities are:
The “Browser Print Template” vulnerability, which affects IE 5.5 only. IE 5.5 introduces a new feature known as Print Templates, which provides the ability to customize how browser pages will look when they’re previewed and printed. A vulnerability exists in the feature that would enable a web application to invoke a custom print template without garnering approval from the user. This poses a security hazard because Print templates are, by design, trusted code and therefore able to execute ActiveX controls, even ones that are not marked as safe for scripting.
The “File Upload via Form” vulnerability, which affects IE versions 5.0 through 5.5. The INPUT TYPE element supports a variety of methods of providing input via HTML forms, one of which allows the user to specify the name of a file to upload to the site. Subject to a number of constraints, it could be possible for a web application to fill in this field with the name of a desired file and then submit the form.
A new variant of the “Scriptlet Rendering” vulnerability, which affects IE version 5.0 through 5.5. The original variant, discussed in Microsoft Security Bulletin MS00-055, involved the ability to render non-HTML file types. This could enable a malicious web site operator to provide bogus information consisting of script, solely for the purpose of introducing it into an IE system file with a known name, then render the file to execute the script. The net effect would be to make the script run in the Local Computer Zone, at which point it could access files on the user's local file system. The new variant operates in exactly the same way, but uses a different mechanism to render the file.
A new variant of the “Frame Domain Verification” vulnerability, which affects IE versions 5.5 through 5.0. As discussed in Microsoft Security Bulletin MS00-033 and MS00-055, several functions do not enforce proper separation of frames in the same window that reside in different domains. The new variant involves an additional function with the same flaw. The net effect of the vulnerability would be to enable a malicious web site operator to open two frames, one in his domain and another on the user’s local file system, and enable the latter to pass information to the former. This patch eliminates all known variants of this vulnerability.
Affected Software Versions
Microsoft Internet Explorer 5.x
Note: The patch requires IE 5.5 or IE 5.01 SP1 to install. Customers who install this patch on other versions may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q279328.
Note: Although one of the vulnerabilities discussed here only affects IE 5.5, the patch above is suitable for installation on either IE 5.5 or IE 5.01 SP1. The patch will detect the version of IE and only install the needed components.
Note: Per the normal security support policy for IE, security patches for Internet Explorer version 4.x are no longer being produced. Microsoft recommends that IE 4.x customers who are concerned about this issue consider upgrading to either IE 5.5 or IE 5.01 SP1.
Note: The fix for this issue will be included in IE 5.5 SP1 and IE 5.01 SP2.
Note Additional security patches are available at the Microsoft Download Center
Please see the following references for more information related to this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS00-093, http://www.microsoft.com/technet/security/bulletin/fq00-093.asp
Microsoft Knowledge Base article Q279328 discusses the “Browser Print Template” and will be available soon.
Microsoft Knowledge Base article Q279329 discusses the “File Upload via Form” vulnerability and will be available soon.
Microsoft Knowledge Base article Q279881 discusses the new variant of the “Scriptlet Rendering” vulnerability and will be available soon.
Microsoft Knowledge Base article Q279330 discusses the new variant of the “Frame Domain Verification” vulnerability and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Microsoft thanks the following people for working with us to protect customers:
Warren R. Greer for reporting the “Browser Print Template” issue to us.
Juan Carlos Garcia Cuartango (www.s21sec.com) and Vladimir Sulc, jr., (www.microrisc.cz) for reporting the “File Upload via Form” vulnerability to us.
December 01, 2000: Bulletin Created.