Therefore, any systems where Internet Explorer is actively used such as user's workstations are at the most risk from these vulnerabilities. Systems where Internet Explorer is not actively used such as most server systems are at a reduced risk. What does the update do? The update addresses the vulnerabilities by ensuring that the correct cross domain security checks take place whenever the affected programming functions are used.
What is the scope of the vulnerability? This vulnerability involves how zone information is passed to an XML document in Internet Explorer and could result in an attacker being able to read local files on a user's system. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that is designed to exploit this particular vulnerability and then persuade a user to visit that site.
After the user had visited the malicious Web site, an attacker could read local files from a known location on the user's system. What causes the vulnerability? This vulnerability results because Internet Explorer improperly validates the path when binding content to a XML document.
As a result, local file content can be bound to an XML document from the Internet zone or from the intranet zone. What is an XML document? These documents provide standards-based support for processing XML. What might an attacker use the vulnerability to do?
An attacker that successfully exploited this vulnerability could obtain a list of recently visited Web sites, grab session information from the user's cookie files, or access data in files that are stored in a known location on the user's file system. How could an attacker exploit this vulnerability? To exploit this vulnerability, an attacker would have to host a malicious Web site or an HTML e-mail message that contained a Web page that is designed to exploit this particular vulnerability and then persuade a user to visit that site or view the e-mail message.
If the user accepted the download of this HTML file, an attacker could read local files on the user's system. Any system that has Internet Explorer installed is at risk from this vulnerability and this update should be installed immediately on all systems. However, this vulnerability requires a user to be logged on and to be using Internet Explorer for any malicious action to occur.
Therefore, any systems where Internet Explorer is actively used such as user's workstations are at the most risk from this vulnerability. The update corrects the vulnerability by ensuring that the path is properly evaluated when binding content to a data object. As a result, local file content cannot be bound to a XML object from the Internet zone or from the Intranet zone. This vulnerability involves the Drag and Drop event in Internet Explorer and could result in a file being saved on the user's system when the user clicked a link.
The user would not receive a dialog box requesting to approve the download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page with a link that is designed to exploit this particular vulnerability and then persuade a user to visit that site.
If the user clicked the malicious link, any code of the attacker's choice could be saved in a target location on the user's computer. As a result, a file could be downloaded to the user's system after the user clicks a link. These events can be used in script code to add dynamic content to a Web site. An attacker who successfully exploited this vulnerability could save code of their choice to the user's local file system.
Although this code could not be executed through this vulnerability directly, the operating system might open the file if it is dropped to a sensitive location, or a user may click the file inadvertently, causing the attacker's code to be executed. If the user clicked the malicious link, any code of the attacker's choice could be saved on the user's computer in a targeted location. Any system that has Internet Explorer installed is at risk from this vulnerability, and this update should be installed immediately on all systems.
Systems where Internet Explorer is not actively used such as most server systems are a reduced risk. Microsoft has tested the versions of Windows and the versions of Internet Explorer that are listed in this bulletin to assess whether they are affected by these vulnerabilities and to confirm that the update that this bulletin describes addresses these vulnerabilities.
To install the Internet Explorer 6 for Windows Server versions of this update, you must be running Internet Explorer 6 version 6. To install the Internet Explorer 6 version of this update, you must be running Internet Explorer 6 version 6. To install the Internet Explorer 5. Note: Versions of Windows and versions of Internet Explorer that are not listed in this article are no longer supported.
Although you can install some of the update packages that are described in this article on these versions of Windows and of Internet Explorer, Microsoft has not tested these versions to assess whether they are affected by these vulnerabilities or to confirm that the update that this article describes addresses these vulnerabilities. Microsoft recommends that you upgrade to a supported version of Windows and of Internet Explorer, and then apply the appropriate update.
For additional information about how to determine which version of Internet Explorer you are running, click the following article number to view the article in the Microsoft Knowledge Base:. For additional information about support life cycles for Windows components, visit the following Microsoft Web site:.
For additional information about how to obtain the latest service pack for Internet Explorer 6, click the following article number to view the article in the Microsoft Knowledge Base:. For additional information about how to obtain the latest service pack for Internet Explorer 5. All In One Tweaks. Back Up. Covert Ops. Internet Tools.
Linux Distros. MajorGeeks Windows Tweaks. System Tools. Many bug-related articles describe either fixed bugs or known bugs in this version of the product. To search the Knowledge Base, visit the following Microsoft Web site:. A2: For more information about these topics, visit the following Microsoft Web site:. Where can I obtain Jet? A3: MDAC versions 2. For additional information about the issues involving Jet, click the following article number to view the article in the Microsoft Knowledge Base:.
It is not included with MDAC 2. You cannot install the MDAC 2. If you install MDAC 2. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:. The resource files in the 2. There is no functional difference between the different versions.
For specific versioning information for this stand-alone release, see the file list table in this article. This is because of a problem with the setup technology that is included with Windows 98 and Windows Me. Security bulletins: MS Warning: This site requires the use of scripts, which your browser does not currently allow.
See how to enable scripts. Select Language:.
0コメント