COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    Internet Explorer 3.x, 4.x, Netscape up to 4.04

PROBLEM

    Georgi Guninski found following.   The Cross Frame Navigate  issue
    involves a vulnerability in  Internet Explorer that could  allow a
    malicious hacker to circumvent certain Internet Explorer  security
    safeguards. This vulnerability makes  it possible for a  malicious
    Web site operator to read the contents of files on your  computer.
    Affected software:

        - Microsoft  Internet  Explorer  4.0,  4.01  and  4.01 SP1  on
          Windows NT 4.0, Windows 95
        - Microsoft  Windows  98,  with  integrated Internet  Explorer
          (version 4.01 SP1)
        - Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1 and
          Windows NT 3.51
        - Microsoft Internet Explorer 4.0 and 4.01 for Macintosh
        - Microsoft Internet Explorer 3.x
        - Netscape Navigator Version 3.01
        - Netscape Navigator Version 3.04

    This  vulnerability  could  also  affect  software  that uses HTML
    functionality  provided  by  Internet  Explorer. Anyone using such
    programs  should  download  the  patch  even  if  they  do not run
    Internet Explorer as their default browser.  Demonstration of this
    is available at:

        http://www.geocities.com/ResearchTriangle/1711/good-read.html

    For a really scary Demonstration of how this works, go to:

        http://onion-router.nrl.navy.mil/Tests.html

    This is a Department of Defense Web Site with a Server  especially
    designed for  this purpose.   Also, here  are two  demo HTML pages
    that have been put together which illustrate how an HTML page  can
    send out the contents of a  stolen file either as a Email  message
    or as a newsgroup posting:

        http://jshelper.pharlap.com/private/demos/automail.htm
        http://jshelper.pharlap.com/private/demos/autopost.htm

SOLUTION

    This does not  appear to work  in IE 5.0.

    Internet Explorer 4
    -------------------
        Customers using  versions of  Internet Explorer  listed in the
        "Affected  Products"  section  can  obtain  the patch from the
        Internet Explorer Security web site:

        http://www.microsoft.com/ie/security/xframe.htm

    Windows 98
    ----------
        Windows  98  customers  can  get  the  updated patch using the
        Windows Update.  To obtain  this patch  using Windows  Update,
        launch Windows Update  from the Windows  Start Menu and  click
        "Product  Updates."  When  prompted,  select  'Yes'  to  allow
        Windows  Update  to  determine  whether  this  patch and other
        updates are  needed by  your computer.  If your  computer does
        need this patch, you will  find it listed under the  "Critical
        Updates" section of the page.

    Internet Explorer 3 Users
    -------------------------
        Users  of  Internet  Explorer  3  should  first upgrade to the
        latest  version  of  Internet  Explorer  4 and then obtain the
        patch.  Information on updating to Internet Explorer 4 can  be
        found from the Internet Explorer download site:

        http://www.microsoft.com/ie/download

    In addition to the product guidelines above, you can determine  if
    you have an affected version of mshtml.dll by determining  version
    you got.   If in Windows  98, Windows 95,  and Windows NT  4.0 the
    file version  is less  than 4.72.3509.0100,  your system  could be
    affected.  If  the  file  version  is greater than 4.72.3508.2400,
    your system does not need the patch.  In Windows 3.1x if the  file
    version is equal to or less than 4.01.2509.0200, your system could
    be affected. If the  file version is greater  than 4.01.2509.0200,
    your  system  does  not  need  the  patch.   On a Macintosh if the
    version is  4.01 (PowerPC)  or 4.01  (68k), your  system could  be
    affected  and  it  is  recommend  that  you download the patch for
    Internet  Explorer  4.01.   If  the  version  is  4.0, your system
    could be affected and it  is recommend that you download  Internet
    Explorer 4.01  and download  the patch.   If the  version is  4.01
    (310), you already have the patch  and do not need to download  it
    again.  Workaround: Disable Javascript.

    Netscape  Navigator/Communicator  4.0.5  seems  not  to be, and it
    causes the javascript error "JavaScript Error: illegal URL  method
    'file:' "