For previously posted bulletins, check here
http://www.sysopt.com/forum/Forum1/HTML/001603.html
Microsoft Security Bulletin (MS99-030)
--------------------------------------
Updated Patch Available for Office "ODBC Vulnerabilities"
Originally Posted: August 20, 1999
Revised: August 23, 1999
Re-released: October 08, 1999
Summary
=======
Microsoft has released an updated patch that eliminates security
vulnerabilities in the Microsoft(r) Jet database engine. A patch originally
was released in August 1999, but an additional variant of one
vulnerability, the "Text I-ISAM" vulnerability, was subsequently
discovered. The new variant could allow a database query to delete files on
a user's computer. This bulletin has been re-released to discuss the
vulnerabilities in their entirety.
The vulnerabilities in total could affect any application that runs atop
Jet, and could allow a database query to take virtually any action on a
user's computer. Microsoft recommends that all customers who are running
applications that use Jet, especially users of Microsoft Office 97 and
Office 2000, install the patch. Customers who applied the original patch
should apply the new one to ensure that they are fully protected against
all variants. Customers who did not previously apply the patch need only
apply the new version.
Additional information and frequently asked questions regarding
this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-030faq.asp
=========================
Microsoft Security Bulletin (MS99-040)
--------------------------------------
Patch Available for "Download Behavior" Vulnerability
Originally Posted: September 28, 1999
Updated: October 08, 1999
Summary
=======
On September 28, 1999, Microsoft released the original version of this
bulletin, in order to provide a workaround for a security vulnerability in
Microsoft(r) Internet Explorer 5 that could allow a malicious web site
operator to read files on the computer of a person who visited the site.
Microsoft has completed a patch that completely eliminates the
vulnerability, and has re-released this bulletin in order to advise
customers of its availability.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-040faq.asp
socalgal
10-12-1999, 08:26 PM
Sorry this is late!
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
********************************
Microsoft Security Bulletin (MS99-042)
--------------------------------------
Workaround Available for "IFRAME ExecCommand" Vulnerability
Originally Posted: October 11, 1999
Summary
=======
Microsoft has learned of a vulnerability in Microsoft(r) Internet Explorer 5
that could allow a malicious web site operator to read files on the
computer of a user who visited the site, under certain circumstances.
Microsoft is developing a patch that will eliminate the vulnerability; in
the meantime, a temporary workaround is discussed below.
Frequently asked questions regarding this vulnerability can be found
at www.microsoft.com/security/bulletins/MS99-042faq.asp (http://www.microsoft.com/security/bulletins/MS99-042faq.asp)
Issue
=====
The IE 5 security model normally restricts the Document.ExecCommand() method
to prevent it from taking inappropriate action on a user's computer.
However, at least one of these restrictions is not present if the method is
invoked on an IFRAME. This could allow a malicious web site operator to
read the contents of files on visiting users' computers, if he or she knew
the name of the file and the folder in which it resided. The vulnerability
would not allow the malicious user to list the contents of folders, create,
modify or delete files, or to usurp any administrative control over the
machine.
Affected Software Versions
==========================
- Microsoft Internet Explorer 5
Workaround
==========
As an interim step while the patch is under development, Microsoft
recommends that customers add sites that they trust to the Trusted Zone,
and disable Active Scripting in the Internet Zone. This will provide full
functionality for all trusted sites, while preventing untrusted sites from
being able to exploit this vulnerability. The FAQ provides details on how to
do this, and how to manage Security Zones in general.
[This message has been edited by socalgal (edited 10-18-1999).]
socalgal
10-16-1999, 05:54 PM
Apologies again for lateness!
-------------------
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-042)
--------------------------------------
Patch Available for "IFRAME ExecCommand" Vulnerability
Originally Posted: October 11, 1999
Updated: October 15, 1999
Summary
=======
On October 11, 1999, Microsoft released the original version of this
bulletin, in order to advise customers of a workaround for a vulnerability
in Microsoft(r) Internet Explorer. The vulnerability could allow a malicious
web site operator to read files on the computer of a user who visited the
site, under certain circumstances. Microsoft has completed a patch that
completely eliminates the vulnerability, and has re-released this bulletin
in order to advise customers of its availability.
Frequently asked questions regarding this vulnerability can be found
at www.microsoft.com/security/bulletins/MS99-042faq.asp (http://www.microsoft.com/security/bulletins/MS99-042faq.asp)
Issue
=====
The Internet Explorer security model normally restricts the
Document.ExecCommand() method to prevent it from taking inappropriate action
on a user's computer. However, at least one of these restrictions is not
present if the method is invoked on an IFRAME. This could allow a malicious
web site operator to read the contents of files on visiting users'
computers, if he or she knew the name of the file and the folder in which it
resided. The vulnerability would not allow the malicious user to list the
contents of folders, create, modify or delete files, or to usurp any
administrative control over the machine.
A patch that corrects this vulnerability is available at the location
discussed below. This patch also includes the previously-released fix for
the "Download Behavior" vulnerability.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.01, versions prior
to Service Pack 2
- Microsoft Internet Explorer 5
Patch Availability
==================
Internet Explorer 4.01 users should apply IE 4.01 Service Pack 2 at:
- www.microsoft.com/windows/ie/download/windows.htm (http://www.microsoft.com/windows/ie/download/windows.htm)
Internet Explorer 5 should apply that patch for this vulnerability at:
- Intel Platform: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/
usa/IE50/MSHTML-fix/x86/q243638.exe
- Alpha Platform: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/
usa/IE50/MSHTML-fix/Alpha/q243638.exe
NOTE: Line breaks have been inserted into the URLs above to improve
readability.
NOTE: The IE5 patch also includes the previously-released fix for the
"Download Behavior" vulnerability, discussed in
www.microsoft.com/security/bulletins/ms99-040.asp (http://www.microsoft.com/security/bulletins/ms99-040.asp)
NOTE: The IE5 patch also will be available shortly at
windowsupdate.microsoft.com (http://windowsupdate.microsoft.com) When this happens, this bulletin
will be modified to provide the download location.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-042: Frequently Asked Questions,
www.microsoft.com/security/bulletins/MS99-042faq.asp (http://www.microsoft.com/security/bulletins/MS99-042faq.asp)
- Microsoft Knowledge Base (KB) article Q243638,
Update Available for "IFRAME ExecCommand" Vulnerability in Internet
Explorer 5,
support.microsoft.com/support/kb/articles/q243/6/38.asp (http://support.microsoft.com/support/kb/articles/q243/6/38.asp)
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
www.microsoft.com/security/default.asp (http://www.microsoft.com/security/default.asp)
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
support.microsoft.com/support/contact/default.asp (http://support.microsoft.com/support/contact/default.asp)
Acknowledgments
===============
Microsoft acknowledges Georgi Guninski for bringing this issue to our
attention.
Revisions
=========
- October 11, 1999: Bulletin Created.
- October 15, 1999: Bulletin re-released to provide information on
availability of patch.
[This message has been edited by socalgal (edited 10-18-1999).]
socalgal
10-18-1999, 09:09 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-043)
--------------------------------------
Workaround Available for "Javascript Redirect" Vulnerability
Originally Posted: October 18, 1999
Summary
=======
Microsoft has learned of a vulnerability in Microsoft(r) Internet Explorer
that could allow a malicious web site operator to read files on the
computer of a user who visited the site, under certain circumstances.
Microsoft is developing a patch that will eliminate the vulnerability; in
the meantime, a temporary workaround is discussed below.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-043faq.asp
Issue
=====
Client-local data that is displayed in the browser window can be made
available to the server by using a redirect to a Javascript applet running
in the same window. This in effect bypasses cross-domain security and makes
the data available to the applet, which could then send the data to a
hostile server. This could allow a malicious web site operator to read the
contents of files on visiting users' computers, if he or she knew the name
of the file and the folder in which it resided. The vulnerability would not
allow the malicious user to list the contents of folders, create, modify or
delete files, or to usurp any administrative control over the machine.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.01 and 5.
Workaround
==========
As an interim step while the patch is under development, Microsoft
recommends that customers add sites that they trust to the Trusted Zone,
and disable Active Scripting in the Internet Zone. This will provide full
functionality for all trusted sites, while preventing untrusted sites from
being able to exploit this vulnerability. The FAQ provides details on how to
do this, and how to manage Security Zones in general.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-043: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-043faq.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported workaround. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- October 18, 1999: Bulletin Created.
Vampiel
10-19-1999, 12:17 AM
keep up the good work! appreciate the board to all moderators/sponsors etc...! and the users as well! |)
[This message has been edited by Vampiel (edited 10-19-1999).]
socalgal
10-20-1999, 09:53 PM
Thanks Vampiel! /forum/smile.gif
------------------
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-044)
--------------------------------------
Patch Available for "Excel SYLK" Vulnerability
Originally Posted: October 20, 1999
Summary
=======
Microsoft has released a patch that eliminates two vulnerabilities in
Microsoft(r) Excel 97 and 2000 that could allow macros to run without
warning under certain conditions.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-044faq.asp
Issue
=====
The primary vulnerability addressed by this patch is the "Excel SYLK"
vulnerability. Symbolic Link (SYLK) files can contain macros; if such a
file were opened in Excel 97 or 2000, the macro would run without asking
for the user's permission. These macros could take any action on the
computer that the user could take.
This patch also eliminates a vulnerability involving how Excel 97 imports
macros created by Lotus 1-2-3 or Quattro Pro. When such a macro is
imported, Excel 97 runs it without asking for the user's permission. These
macros could be used to delete files on the user's computer, but could take
no other action.
Affected Software Versions
==========================
- Microsoft Excel 97, whether shipped alone or as part of Office 97.
- Microsoft Excel 2000, whether shipped alone or as part of Office 2000.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-044: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-044faq.asp
- Microsoft Knowledge Base (KB) article Q241900,
XL97: Opening Lotus 1-2-3 File May Execute Macro Without Warning,
http://support.microsoft.com/support/kb/articles/q241/9/00.asp
- Microsoft Knowledge Base (KB) article Q241901,
XL2000: Macro Virus Warning Does Not Appear Opening SYLK File,
http://support.microsoft.com/support/kb/articles/q241/9/01.asp
- Microsoft Knowledge Base (KB) article Q241902,
XL97: Macro Virus Warning Does Not Appear Opening SYLK File,
http://support.microsoft.com/support/kb/articles/q241/9/02.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
NOTE: It may take 24 hours from the original posting of this bulletin for
the KB articles to be visible.
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges David Young of Derby, UK, for bringing the "Excel
SYLK" vulnerability to our attention.
Revisions
=========
- October 20, 1999: Bulletin Created.
socalgal
10-21-1999, 12:38 AM
For good measure..
http://officeupdate.microsoft.com/
socalgal
10-21-1999, 11:44 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-045)
--------------------------------------
Patch Available "Virtual Machine Verifier" Vulnerability
Originally Posted: October 21, 1999
Summary
=======
Microsoft has released a new version of the Microsoft(r) virtual machine
(Microsoft VM) that eliminates a security vulnerability that could allow a
Java applet to take unauthorized actions on the computer of a web site
visitor. Although no standard Java compiler can generate such an applet, a
Java applet constructed by hand with a Java bytecode assembler could bypass
the sandbox and take virtually any action on the computer that the user
would be capable of taking.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-045faq.asp
Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop Microsoft Windows(r) 95, 98 or Windows NT(r). It
ships as part of each operating system, and also as part of Microsoft
Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet Explorer
4.0 and Internet Explorer 5.0 contains a security vulnerability in the
bytecode verifier that could allow a Java applet to operate outside the
bounds set by the sandbox. If hosted on a web site, it could cause any
action to be taken on the computer of a visiting user that the user himself
could take. This could include, for example, creating, deleting or
modifying files, sending data to or receiving data from a web site, or
reformatting the hard drive.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which can be
determined using the JVIEW tool, as discussed in the FAQ. The following
builds of the Microsoft VM are affected:
- All builds in the 2000 series
- All builds in the 3000 series prior to but not including build 3188
NOTE: The Microsoft VM ships as part of several products. However, the
primary ship vehicle is Internet Explorer. IE 4 ships with builds in the
2000 series; IE 5 ships with builds in the 3000 series.
Patch Availability
==================
http://www.microsoft.com/java/vm/dl_vm32.htm
NOTE: The above URL installs the latest version of the 3000 series. It can
be installed by anyone, including customers currently using a 2000 series
build. A new version in the 2000 series will be available shortly for
customers who are using a 2000 series build and do not wish to upgrade to
the 3000 series. When this is available, we will modify the bulletin to
provide the specific URL.
NOTE: A patch also will be available shortly at
http://windowsupdate.microsoft.com When this happens, we will modify the
bulletin to provide the specific URL.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-045: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-045faq.asp
- Microsoft Knowledge Base (KB) article Q244283,
Bypassing Java Sandbox Results in VM Security Vulnerability,
http://support.microsoft.com/support/kb/articles/q244/2/83.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- October 21, 1999: Bulletin Created.
[This message has been edited by socalgal (edited 10-21-1999).]
socalgal
10-22-1999, 10:54 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-046)
--------------------------------------
Patch Available to Improve TCP Initial Sequence Number Randomness
Originally Posted: October 22, 1999
Summary
=======
Microsoft has released a patch that significantly improves the randomness of
the TCP initial sequence numbers (ISNs) generated by the TCP/IP stack in
Microsoft(r) Windows NT(r) 4.0. Improving the randomness of ISNs eliminates
a class of potential attacks against Windows NT 4.0 systems.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-046faq.asp
Issue
=====
The ISNs used in TCP/IP sessions should be as random as possible in order to
prevent attacks such as IP address spoofing and session hijacking. This
patch improves the randomness of the Windows NT 4.0 TCP/IP ISN generation,
providing 15 bits of entropy.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
NOTE: Line breaks have been inserted into the above URLs for readability.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-046: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-046faq.asp
- Microsoft Knowledge Base (KB) article Q243835,
How to Prevent Predictable TCP/IP Initial Sequence Numbers,
http://support.microsoft.com/support/kb/articles/q243/8/35.asp
(Note: It may take 24 hours from the original posting of this
bulletin for this KB article to be visible.)
- CERT Advisory CA-95.01,
Topic: IP Spoofing Attacks and Hijacked Terminal Connections,
http://www.cert.org/advisories/
CA-95.01.IP.spoofing.attacks.and.hijacked.terminal.co nnections.html
(Note: A line break has been inserted into the above URL for readability)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges National Bank of Kuwait for bringing this issue to
our attention.
Revisions
=========
- October 22, 1999: Bulletin Created.
socalgal
11-04-1999, 08:00 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-047)
--------------------------------------
Patch Available for "Malformed Spooler Request" Vulnerability
Originally Posted: November 04, 1999
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows NT(r) 4.0. The vulnerability could allow a user to
cause the print spooler service to crash, or to run arbitrary code on a
Windows NT machine. The patch also eliminates a vulnerability that could
allow a user to substitute code of their choosing for a print provider that
runs in a privileged state.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-047faq.asp
Issue
=====
Certain APIs in the Windows NT 4.0 print spooler subsystem have unchecked
buffers. If an affected API were provided with random data as input, it
could crash the print spooler service. If it were provided with a
specially-malformed argument, it could be used to run arbitrary code on the
server via a classic buffer overrun attack. The majority of the affected
APIs require the caller to be a member of the Power Users or Administrators
group; however, at least one is callable by normal users. None of the calls
could be made by anonymous users, but the calls could be made remotely.
A second vulnerability exists because incorrect permissions would allow a
normal user to specify his or her own code as a print provider. Because
print providers run in a local System context, this would allow the user to
gain additional privileges on the local machine. This vulnerability could
not be exploited remotely.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
Patch Availability
==================
Windows NT 4.0 Workstation, Windows NT 4.0 Server and Windows NT 4.0 Server,
Enterprise Edition:
- X86:
http://download.microsoft.com/download/winntsrv40/Patch/
Spooler-fix/NT4/EN-US/Q243649.exe
- Alpha:
http://download.microsoft.com/download/winntsrv40/Patch/
Spooler-fix/ALPHA/EN-US/Q243649.exe
NOTE: Line breaks have been inserted into the above URLs for readability.
NOTE: The patches above can be installed on systems running Windows
NT 4.0 Service Pack 5 or 6. A version that can be installed on systems
running previous service packs will be released shortly.
- Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-047: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-047faq.asp
- Microsoft Knowledge Base (KB) article Q243649,
Unchecked Print Spooler Buffer may Expose System Vulnerability,
http://support.microsoft.com/support/kb/articles/q243/6/49.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges the eEye Digital Security Team (www.eEye.com/release)
for discovering the buffer overrun vulnerability and reporting it to us.
Revisions
=========
- November 04, 1999: Bulletin Created.
socalgal
11-04-1999, 08:02 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
On October 15, 1999, Microsoft released Security Bulletin MS99-042, which
discussed the availability of a patch that eliminates the "IFRAME
ExecCommand" vulnerability in Microsoft(r) Internet Explorer 4.01 and 5.0.
However, we subsequently determined that the patch contained a regression
error. While the patch did provide protection against the "IFRAME
ExecCommand" vulnerability, it re-exposed a previously-patched security
vulnerability. We have corrected the regression error and re-released the
patch.
We have updated the security bulletin and FAQ, and it is available at
http://www.microsoft.com/security/bulletins/ms99-042.asp The updated
bulletin contains information on the vulnerability, the regression error,
and the updated patch. Please note that the regression error only affected
the IE 5.0 version of the patch; the patch for IE 4.01 was unaffected, and
customers who applied it do not need to take any action.
We apologize for any inconvenience caused by this incident, and are working
to improve our process in order to prevent similar incidents in the future.
Regards,
The Microsoft Security Response Team
socalgal
11-11-1999, 08:30 PM
Microsoft Security Bulletin (MS99-048)
--------------------------------------
Patch Available for "Active Setup Control" Vulnerability
Originally Posted: November 11, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability that could
allow a malicious user to embed an unsafe executable within an email and
disguise it as a safe type of attachment. Through a complicated series of
steps, the unsafe executable could be made to execute under certain
conditions, if the user opened the attachment.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-048faq.asp
Issue
=====
A particular ActiveX control allows cabinet files to be launched and
executed. This could allow an HTML mail to contain a malicious
cabinet file, disguised as a file of an innocuous type. If a user
attempted to open this file, the operation would fail but could,
depending on the mail package, leave a copy of the file in a known
location. The ActiveX control could then be used via a script
embedded in the mail to launch the copy, thereby executing the
malicious code.
The vulnerability could only be exploited in cases where a mail reader were
used that allowed scripts in HTML mail and stored temporary copies of
launched programs in known locations. The patch restricts the ability of
the control to launch unsigned cabinet files that have been downloaded
from the local machine.
Affected Software Versions
==========================
The affected ActiveX control ships as part of Microsoft Internet Explorer 4
and 5
NOTE: Microsoft produces security patches for Internet Explorer 4.01 SP2
and higher. In the event that this package is applied to Internet Explorer
4.01 SP1, the package states that a fix is not needed. This message is
incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1.
If you are using Internet Explorer 4.01 SP1, please upgrade to the latest
version of Internet Explorer to resolve this issue.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-048: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-048faq.asp
- Microsoft Knowledge Base (KB) article Q244540, Update Available
for "Active Setup Control" Vulnerability,
http://support.microsoft.com/support/kb/articles/q244/5/40.asp
(Note: It may take 24 hours from the original posting of this
bulletin for the KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Juan Carlos Garcia Cuartango of Spain for
bringing this issue to our attention.
Revisions
=========
- November 11, 1999: Bulletin Created.
SysOpt.com
Copyright Internet.com Inc. All Rights Reserved.