DOCUMENT:Q240308 TITLE :Update Available for Scriptlet.typlib/Eyedog Security Vulnerability PRODUCT :Internet Explorer PROD/VER:4.0, 4.01, 4.01 SP1, 4.01 SP2, 5.0 OPER/SYS:WINDOWS 98, Windows 95, Windows NT ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Explorer versions 4.0, 4.01 Service Pack 2, 5 for Windows 98 - Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows NT 4.0 - Microsoft Internet Explorer version 5 for Windows 95 ------------------------------------------------------------------------------- SUMMARY ======= Microsoft has released an update that eliminates security vulnerabilities in the following two ActiveX controls: - Object for constructing type libraries for scriptlets (Scriptlet.Typelib) - Eyedog Additional information about these controls is available at the following Microsoft Web site: http://www.microsoft.com/security/bulletins/ms99-032.asp The update eliminates a vulnerability that could allow a malicious Web site operator to take inappropriate actions on your computer and is posted to the following Microsoft Web site: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/ MORE INFORMATION ================ The Scriptlet.Typelib and Eyedog controls are not related to each other, but both are incorrectly marked as "safe for scripting" and can therefore be called from Internet Explorer. Developers use the Scriptlet.Typelib control to generate Type Libraries for Windows Scripting Components. It should not be marked "safe for scripting" because it allows local files to be created or modified. The update removes the "safe for scripting" setting, which causes Internet Explorer to prompt you for confirmation before loading the control. The Eyedog control is used by diagnostic software in Windows. It should not be marked "safe for scripting" because it allows registry information to be queried and computer characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack. The update prevents the control from loading within Internet Explorer. For additional security-related information about Microsoft products, please visit the following Microsoft Web site: http://www.microsoft.com/security Additional query words: ie ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.