Article ID: 242542
This article has been archived. It is offered "as is" and will no longer be updated.
Microsoft has released an update to Internet Explorer 5 that addresses a potential security vulnerability with the download Dynamic HTML (DHTML) behavior. Additional information about this issue is available from the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS99-040.mspxUpdates are available for the following products:
(http://support.microsoft.com/kb/226325/EN-US/ )Update Available for MSHTML Security Issues in Internet Explorer
DHTML behaviors (a new feature introduced in Internet Explorer 5) are simple, lightweight components that encapsulate specific functionality or behavior on a page. The download behavior feature allows Web page authors to download files for use in client-side scripts. By design, a Web site should be able to download only files that reside in its domain; this prevents client-side code from exposing files on the your computer or local intranet to the Web site. However, a server-side redirect can be used to bypass this restriction. This vulnerability could allow a malicious Web site operator to potentially read (but not modify or erase) files on your computer or on other computers on your local intranet.
This vulnerability does not affect Internet Explorer 5 for Microsoft Windows 3.1 and Windows NT 3.51 or Internet Explorer 5 for Macintosh. Internet Explorer 5 for UNIX is affected, and an update will be available soon (see the workaround described below). Internet Explorer 4.x (for all platforms) does not support the download DHTML behavior and is not affected by this vulnerability.
To obtain the update for the download behavior vulnerability, download and install the appropriate Q242542.exe file for your computer from the following Microsoft Web site:
http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htmNOTE: If you are running Internet Explorer 5 for Windows 95, Windows 98, or Windows NT 4.0 (Intel), or you are running Windows 98 Second Edition, download the Update for "Download Behavior" Vulnerability (x86). If you are running Internet Explorer 5 for Windows NT 4.0 (Alpha), download the Update for "Download Behavior" Vulnerability (Compaq DIGITAL Alpha).
After you install the update, "Q242542" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer.
Updated file name Size Date Version ---------------------------------------------------------------- Mshtml.dll 2,359,296 (x86) 9-29-99 5.00.2721.2900 Mshtml.dll 4,984,832 (Alpha) 9-29-99 5.00.2721.2900
Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent the download behavior feature from operating by disabling Active Scripting in Internet Explorer 5. To do so:
http://www.microsoft.com/security/For additional information about the download behavior, please see the following Microsoft Web site:
http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/download.aspNote that this problem does not occur in Internet Explorer 5.01.