COMMAND

    "Image Source Redirect"

SYSTEMS AFFECTED

    Internet Explorer 4.0 and 4.01, 5 and 5.01

PROBLEM

    The  following  is  is  based  on  a  Security  Bulletin  from the
    Microsoft  Product  Security  Notification  Service.   When  a web
    server navigates a  window from one  domain into another  one, the
    IE security model checks the server's permissions on the new page.
    However, it is possible for a web server to open a browser  window
    to a client-local file, then navigate the window to a page that is
    in  the  web  site's  domain  in  such  a way that the data in the
    client-local file is accessible to the new window.  The data would
    only be accessible to the new window for a very brief period,  but
    the result is that it could  be possible for a malicious web  site
    operator to view files  on the computer of  a visiting user.   The
    web  site  operator  would  need  to  know (or guess) the name and
    location of the file, and could  only view file types that can  be
    opened in a browser window.

SOLUTION

    Patch availability:

        http://windowsupdate.microsoft.com
        http://www.microsoft.com/windows/ie/security/patch5.asp

    NOTE: Microsoft  produces security  patches for  Internet Explorer
    4.01 SP2 and higher.  In the event that this package is applied to
    Internet Explorer 4.01 SP1, the  package states that a fix  is not
    needed.   This  message  is  incorrect,  as the vulnerability does
    exist on Internet  Explorer 4.01 SP1  or any earlier  release.  If
    you are using Internet Explorer  4.01 SP1 or any earlier  release,
    please  upgrade  to  the  latest  version  of Internet Explorer to
    resolve this issue.