************************************************************************* Security Bulletin 9825 DISA Defense Communications System August 19, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Microsoft ! ! Product Security Response Team and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= Microsoft Security Bulletin (MS98-011) ------------------------------------------------------------------------ Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4 Originally Posted: August 17, 1998 Last Revised: August 17, 1998 Summary ======= Recently Microsoft was notified by Georgi Guninski and NTBugTraq (http://ntbugtraq.ntadvice.com) of a security issue affecting the way Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 handles JScript scripts downloaded from web sites. Microsoft has produced a patch for this issue, which customers should download and apply as soon as possible. Issue ===== Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate. Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long string. In order for users to be affected by this problem, they must visit a web site that was intentionally designed to include a malicious script. See the "Administrative Workaround" section below for more information. There have not been any reports of customers being affected by this problem. Affected Software Versions ========================== The following software is affected by this vulnerability: - Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95 and Windows NT 4.0 - Microsoft Windows 98 Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX (Solaris) are not affected by this problem. Internet Explorer 3.x is not affected by this problem. What Microsoft is Doing ======================= On August 17th Microsoft released a patch that fixes the problem as reported. This patch is available for download from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp. Microsoft has also made this patch available as a "Critical Update" for Windows 98 customers through the Windows Update. Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service (see http://www.microsoft.com/security/bulletin.htm for more information about this free customer service). Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q191200, Update Available for JScript Security Issue, http://support.microsoft.com/support/kb/articles/q191/2/00.asp In addition, Microsoft has notified CERT (http://www.cert.org), an industry security organization, which redistributes security-related information to corporate, government and end-users. What customers should do ======================== Microsoft highly recommends that users of affected software versions, listed in the "Affected Software Versions" section above, should install the updated version of the Microsoft Scripting Engine 3.1, which contains a fix for this problem. This update can be downloaded from http://www.microsoft.com/msdownload/vbscript/scripting.asp. Windows 98 Users ---------------- Windows 98 customers can also get the updated patch using the Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click "Product Updates." When prompted, select 'Yes' to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the "Critical Updates" section of the page. Localized versions of the patch are available from the Microsoft Scripting Technologies web site, http://www.microsoft.com/msdownload/vbscript/scripting.asp. Administrative workaround ========================= We strongly encourage customers to apply the patch. However, users who cannot apply the patch can use the Zones security feature in Internet Explorer to provide additional protection against this issue by disabling Active Scripting in the "Internet" and "Restricted Sites" Zones. This would still allow JScript to be run from trusted Internet sites, and on the user's local intranet. To turn off Active Scripting for the "Internet" Zone: 1. From Internet Explorer, choose "Internet Options" from the "View" menu. 2. Click on the tab labeled "Security". 3. Click on "Internet Zone", then click "Customize Settings". 4. Scroll to the bottom of the list and click on "Disable" under the "Active Scripting" setting. These same procedures can be followed for the "Restricted Sites" Zone. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS98-011, Update available for "Window.External" JScript Vulnerability in Microsoft Internet Explorer 4,(the Web posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-011.htm - Microsoft Knowledge Base (KB) article Q191200, Update for "Window.External" JScript Issue, http://support.microsoft.com/support/kb/articles/q191/2/00.asp - Microsoft Internet Explorer Security Bulletin, Update available for "Window.External" JScript security issue, http://www.microsoft.com/ie/security/jscript.htm - Windows Update Site, http://windowsupdate.microsoft.com - Microsoft Scripting Technologies web site, http://msdn.microsoft.com/scripting Revisions ========= - Aug 17, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.