COMMAND
Internet Explorer
SYSTEMS AFFECTED
Internet Explorer 3.x, 4.x, Netscape up to 4.04
PROBLEM
Georgi Guninski found following. The Cross Frame Navigate issue
involves a vulnerability in Internet Explorer that could allow a
malicious hacker to circumvent certain Internet Explorer security
safeguards. This vulnerability makes it possible for a malicious
Web site operator to read the contents of files on your computer.
Affected software:
- Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on
Windows NT 4.0, Windows 95
- Microsoft Windows 98, with integrated Internet Explorer
(version 4.01 SP1)
- Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1 and
Windows NT 3.51
- Microsoft Internet Explorer 4.0 and 4.01 for Macintosh
- Microsoft Internet Explorer 3.x
- Netscape Navigator Version 3.01
- Netscape Navigator Version 3.04
This vulnerability could also affect software that uses HTML
functionality provided by Internet Explorer. Anyone using such
programs should download the patch even if they do not run
Internet Explorer as their default browser. Demonstration of this
is available at:
http://www.geocities.com/ResearchTriangle/1711/good-read.html
For a really scary Demonstration of how this works, go to:
http://onion-router.nrl.navy.mil/Tests.html
This is a Department of Defense Web Site with a Server especially
designed for this purpose. Also, here are two demo HTML pages
that have been put together which illustrate how an HTML page can
send out the contents of a stolen file either as a Email message
or as a newsgroup posting:
http://jshelper.pharlap.com/private/demos/automail.htm
http://jshelper.pharlap.com/private/demos/autopost.htm
SOLUTION
This does not appear to work in IE 5.0.
Internet Explorer 4
-------------------
Customers using versions of Internet Explorer listed in the
"Affected Products" section can obtain the patch from the
Internet Explorer Security web site:
http://www.microsoft.com/ie/security/xframe.htm
Windows 98
----------
Windows 98 customers can get the updated patch using the
Windows Update. To obtain this patch using Windows Update,
launch Windows Update from the Windows Start Menu and click
"Product Updates." When prompted, select 'Yes' to allow
Windows Update to determine whether this patch and other
updates are needed by your computer. If your computer does
need this patch, you will find it listed under the "Critical
Updates" section of the page.
Internet Explorer 3 Users
-------------------------
Users of Internet Explorer 3 should first upgrade to the
latest version of Internet Explorer 4 and then obtain the
patch. Information on updating to Internet Explorer 4 can be
found from the Internet Explorer download site:
http://www.microsoft.com/ie/download
In addition to the product guidelines above, you can determine if
you have an affected version of mshtml.dll by determining version
you got. If in Windows 98, Windows 95, and Windows NT 4.0 the
file version is less than 4.72.3509.0100, your system could be
affected. If the file version is greater than 4.72.3508.2400,
your system does not need the patch. In Windows 3.1x if the file
version is equal to or less than 4.01.2509.0200, your system could
be affected. If the file version is greater than 4.01.2509.0200,
your system does not need the patch. On a Macintosh if the
version is 4.01 (PowerPC) or 4.01 (68k), your system could be
affected and it is recommend that you download the patch for
Internet Explorer 4.01. If the version is 4.0, your system
could be affected and it is recommend that you download Internet
Explorer 4.01 and download the patch. If the version is 4.01
(310), you already have the patch and do not need to download it
again. Workaround: Disable Javascript.
Netscape Navigator/Communicator 4.0.5 seems not to be, and it
causes the javascript error "JavaScript Error: illegal URL method
'file:' "