Which Versions of
Internet Explorer are Affected by Security Issues?
All versions of Internet Explorer are vulnerable
to one or more security issues. Most of these issues are the result of
design flaws (such as the Cybersnot, MIT, UMD problems), while some are
bugs and others the result of third parties (such as the Java security
problem reported by
C|Net).
In addition, all International versions of IE are affected. As previously
mentioned, IE for the Macintosh is affected by the Java security issue
discovered by
Sun Microsystems. The Sun
Java issues was researched by Microsoft, and they determined that Windows
versions of IE are not affected. A patch for the Mac version is available
at
http://www.microsoft.com/ie/security/java.htm
and it should be downloaded and installed by all IE Macintosh users.
Again, there is a second Java security issue that affects IE3.01 users.
For more information on the second issue (including the downloadable fix),
see Microsoft's
Known
Issues in Internet Explorer Java Support page.
Administrators, ISPs and others who are distributing IE via the Internet
Explorer Administration Kit (IEAK) are also affected. To get an in-place
update of the IEAK, visit Microsoft's
IEAK
web site.
How Can I
Identify What Version of IE I have?
Internet Explorer version numbers use the following format:
<major version>.<minor version>.<build number>.<sub-build number>
Below is a table listing the
various 32-bit Windows versions of IE:
|
Version |
Product |
|
4.40.308 |
Internet
Explorer 1.0 (Plus!) |
|
4.40.520 |
Internet
Explorer 2.0 |
|
4.40.1381.1 |
Ships with NT 4.0, Proxy Server 1.0, Visual Basic 5.0, NT
Service Packs 1-4 |
|
4.70.0.1155 |
Internet
Explorer 3.0 |
|
4.70.0.1158 |
Internet
Explorer 3.0 (OSR2) |
|
4.70.0.1215 |
Internet
Explorer 3.01 |
|
4.70.1300 |
Internet
Explorer 3.02 |
|
4.71.544 |
Internet
Explorer 4.0 Platform Preview 1.0 (PP1) |
|
4.71.1008.3 |
Internet
Explorer 4.0 Platform Preview 2.0 (PP2) |
|
4.71.1712.6 |
Internet
Explorer 4.0 |
|
4.72.2106.1 |
Ships with
Win95 OSR2.5 |
|
4.72.2106.8 |
Internet
Explorer 4.01 |
|
4.72.3110.0 |
Ships with
Win98, SQL Server 7.0, Publisher 98, Visual Studio 6.0, NT4/SP5 |
|
4.72.3110.8 |
Internet
Explorer 4.01 Service Pack 1 (SP1) |
|
4.72.3612.1712 |
Internet
Explorer 4.01 Service Pack 2 (SP2) |
|
5.00.0518.10 |
Internet
Explorer 5 Developer Preview (Beta 1) |
|
5.00.0910.1309 |
Internet
Explorer 5 Beta (Beta 2) |
|
5.00.2014.0216 |
Internet
Explorer 5 (Original) |
|
5.00.2314.1000 |
Ships with
Office 2000 Developer Edition |
|
5.00.2314.2100 |
Internet
Explorer 5 (Refresh) |
|
5.00.2614.3500 |
Internet
Explorer 5 (Refresh 2) |
|
5.00.2919.3800 |
Windows 2000 RC2 (all flavors) |
|
5.00.2919.6304 |
Internet
Explorer 5.01 |
|
5.00.2920.0 |
Windows 2000 (all flavors) |
|
5.00.3105.0106 |
Internet
Explorer 5.01 Service Pack 1 |
|
5.50.4134.0100 |
Windows Millennium
Edition |
|
5.50.4134.0600 |
Internet
Explorer 5.5 |
|
5.51.4807.2300 |
Internet Explorer 5.5
Service Pack 2 |
|
6.00.2462.0000 |
Internet
Explorer 6.0 Public Preview |
|
6.00.2600.00 |
Internet Explorer 6.0
(Windows XP) |
To get version information for Windows 3.1,
Macintosh and Unix platforms, check out Knowledge Base article
164539.
What Security
Issues are Known So Far?
Click
here for
1996-2002
issues.
On February 12, 2003, Microsoft
released
Security Bulletin MS03-004 and Knowledge Base article
813951
which discuss the availability of a
cumulative patch (e.g., a patch that includes the functionality of all
previously released patches) for Internet Explorer 5.01, 5.5, 6.0.
The patch eliminates two newly discovered vulnerabilities involving
Internet Explorer�s cross-domain security model - which keeps windows of
different domains from sharing information. These flaws results in
Internet Explorer because incomplete security checking causes Internet
Explorer to allow one website to potentially access information from
another domain when using certain dialog boxes.
The vulnerability, which was reported to Microsoft by Andreas Sandblad of
Sweden, could enable
a malicious webmaster to load hostile code onto a user's system. In
addition, the vulnerability could enable an attacker to invoke an
executable that was already present on the local system, or take any other
action available to the system owner.
A related cross-domain vulnerability allows Internet Explorer�s
showHelp() functionality to execute without proper security checking.
showHelp() is one of the help methods used to display an HTML page
containing help content. showHelp() allows more types of pluggable
protocols than necessary, and this could potentially allow an attacker to
access user information, invoke executables already present on a user�s
local system or load malicious code onto a user�s local system. This cumulative patch will cause window.showHelp( ) to cease to
function. When the latest HTML Help update - which is being released via
Windows Update with this patch - is installed, window.showHelp( ) will
function again, but with some limitations (see the caveats section later
in this bulletin). This has been necessary in order to block the attack
vector that might allow a web site operator to invoke an executable that
was already present on a user�s local system.
On April 23, 2003, Microsoft released
Security Bulletin MS03-015
and Knowledge Base article
813489, which
discuss the the availability of a
cumulative patch (e.g., a patch that includes the functionality of all
previously released patches) for Internet Explorer 5.01, 5.5 and 6.0.
In addition to resolving all prior known vulnerabilities, the patch also
eliminates four additional vulnerabilities:
- A buffer overrun vulnerability in URLMON.DLL that occurs because
Internet Explorer does not correctly check the parameters of information
being received from a web server.
- A vulnerability in the Internet Explorer file upload control that
allows input from a script to be passed to the upload control.
- A flaw in the way Internet Explorer handles the rendering of third
party files.
- A flaw in the way modal dialogs are treated by Internet Explorer
that occurs because an input parameter is not properly checked.
Several folks contributed to the finding of these vulnerabilities:
Each of these are critical vulnerabilities that could enable a
malicious webmaster to take complete control of a victim's machine.
NEW:
On June 4, 2003, Microsoft released
Security Bulletin MS03-020
and Knowledge Base article
818529, which
discuss the the availability of a cumulative patch (e.g., a patch that
includes the functionality of all previously released patches) for
Internet Explorer 5.01, 5.5 and 6.0. In addition to resolving all
prior known vulnerabilities, the patch also eliminates two additional
vulnerabilities:
- A buffer overrun vulnerability that occurs because Internet Explorer
does not properly determine an object type returned from a web server.
- A flaw that results because Internet Explorer does not implement an
appropriate block on a file download dialog box.
These vulnerabilities, which were reported to Microsoft by
eEye Digital Security could enable a
malicious webmaster to take complete control of a victim's machine.
How Can I
Protect Myself When Using Microsoft Internet Explorer?
There's obviously no better protection than abstinence. But I would never
suggest that someone stop surfing the Web, nor would I suggest they switch
browsers. But there are some things you can do to protect yourself:
Make regular backups of your hard drive(s).
This advice should be heeded by anyone with any kind of computer, and
not just IE users. This is especially important for Windows9x and
Windows NT, Windows 2000, Windows XP and Windows Server 2003 users. There is NO SUBSTITUTE for a
good backup.
If you are not using the latest version of IE, you should upgrade.
Then apply all available patches and updates.
This will protect you from most of the security issues. You can
download all of patches and updates at
Microsoft's
IE Site. If you are using the IEAK, you can also download
software
that will perform an in-place update or your installed IEAK.
Familiarize yourself with the security options in Internet Explorer. You
can get a ton of information on
Microsoft's
web site or in
Microsoft's
Knowledge Base. Of course, don't forget to check out
Internet
Explorer Home Page.
Beware when surfing. Don't just click any link unless you're pretty sure
what is going to happen. In many cases, you can see what a link will do
by placing your mouse over it (without clicking) and looking at the IE
status bar (which, if turned off can be turned on from the View menu in
IE). If you want, you can almost always see the source code for a web
page by right-clicking in the page and selecting View Source. This will
help you determine what a link is going to do when you click it in case
it isn't apparent from the status bar.
Stay informed. Bookmark this site! IMHO, this is one of the best
ways to keep current on security issues that affect Internet Explorer.
But keep up on your own, too. Visit the sites mentioned at this
site,
search the web for more information and browse the newsgroups devoted to
IE. If you find anything of importance not mentioned here,
send it to
me for inclusion
and I'll credit you as the source of the information.
Visit the
Microsoft
Security Advisor Program page regularly. Check Microsoft's
Issues
page regularly. Send your questions and comments to
Microsoft's
Security Mailbox, or to
me.
Please note, that I can't guarantee a response to email,
and I definitely will NOT answer Content Advisor password
questions, so don't even ask.
How can I disable the Content
Advisor?
You need to call Microsoft Tech Support. They have
a fix for this and It will not cost you anything. Just let the Customer
Service Rep know that you have a problem with the Content Advisor in
Internet Explorer.
Their number is 425-635-7000 from 6 am - 6 pm Mon-Fri PST.
