COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    Internet Explorer 4, 4.01, 5, 5.01

PROBLEM

    Following  is  based  on  a  Security Bulletin from the Microsoft.
    The HTML  Help facility  provides the  ability to  launch code via
    shortcuts included in  HTML Help   files. If a  compiled HTML Help
    (.chm) file  were referenced  by a  malicious web  site, it  could
    potentially be used to launch  code on a visiting user's  computer
    without the  user's approval.   Such code  could take  any actions
    that the user could  take, including adding, changing  or deleting
    data, or communicating with a remote web site.

    A web site could only invoke an HTML Help file if it resided on  a
    UNC share accessible  from the   user's machine, or  on the user's
    machine itself.  A firewall that blocks Netbios would prevent  the
    former case from being  exploited.  Adhering to  standard security
    practices would prevent  the  latter.   In addition, an  HTML Help
    file could only  be invoked if  Active Scripting was  permitted in
    the Security Zone that the malicious user's site resides in.   The
    patch eliminates the vulnerability  by only allowing an  HTML Help
    file  to  use  shortcuts  if  the  help  file resides on the local
    machine.

SOLUTION

    Patch availability:

        - Internet Explorer 4.0, 4.01, 5.0, or 5.01 running on Windows 95, Windows 98, Windows 98 Second Edition, or Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21705
        - Internet Explorer 5.01 on Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21706