Security Update, August 16, 2000
This update includes several updates for security vulnerabilities in Internet Explorer that have been released since Windows Me was released to manufacturing, and is discussed in Microsoft Security Bulletin MS00-055. Download now to resolve the "Scriptlet Rendering" and "Frame Domain Verification" security vulnerabilities, and several other vulnerabilites in Internet Explorer.
This resolves the following security vulnerabilities:
- The “Scriptlet Rendering” vulnerability. The ActiveX® control that is used to invoke scriptlets is essentially a rendering engine for HTML. However, it will render any file type, not just HTML files. This may present an opportunity to a malicious Web site operator to provide false script information, solely for the purpose of introducing it into an Internet Explorer system file with a known name, and then use the scriptlet control to render the file. The net effect would be to make the script run in the local computer zone, at which point the script could access files on the user’s local file system.
- A new variant of the “Frame Domain Verification” vulnerability . The Frame
Domain Verification vulnerability involves two functions that do not enforce
proper separation of frames in the same window that reside in different domains. The new variant involves an additional function with
the same flaw.
The new variant involves an additional function with the same flaw. The
net effect of the vulnerability is to enable a malicious Web site operator to open two frames,
one in the Web site's domain and another on the user’s local file system, and enable the latter to pass information to
the former.
In order to
exploit either vulnerability, a malicious Web site operator would need to know or guess the exact name and
path of each file he or she wanted to view. Even then, a Web site operator could only view file types that can be opened in a
browser window – for instance, .txt or .doc files, but not .exe or .dat
files. If the Web site were in a zone in which Active Scripting were disabled, neither
vulnerability could be exploited.
For more information about these vulnerabilities, please see Microsoft Security Bulletin MS00-055. (This site is in English.)
This update also protects against several other vulnerabilities that are the subject of previously-released security bulletins. Specifically, if you apply this update, you'll also be protected against the vulnerabilities discussed in Microsoft Security Bulletins: MS00-033, MS00-039, MS00-049, and, for Internet Explorer 5.5 only, MS00-042.
(These sites are in English.)
System Requirements
This update applies to Windows Millenium Edition (Windows Me).
How to Use
Restart your computer to complete the installation.
Uninstall is not available.