ms-frame-spoof.txt

`>From: Microsoft Product Security Notification Service  
[mailto:[email protected]] On Behalf Of  
Microsoft Product Security  
Sent: Wednesday, December 23, 1998 9:51 AM  
To: [email protected]  
Subject: Microsoft Security Bulletin (MS98-020)  
  
  
The following is a Security Bulletin from the Microsoft Product Security  
Notification Service.  
  
Please do not reply to this message, as it was sent from an unattended  
mailbox.  
********************************  
  
Microsoft Security Bulletin (MS98-020)  
--------------------------------------  
  
Patch Available for "Frame Spoof" Vulnerability  
  
Originally Posted: December 23, 1998  
  
Summary  
=======  
Microsoft has released a patch that fixes a vulnerability in Microsoft(r)  
Internet Explorer(r) that could allow a malicious web site operator to  
impersonate a window on a legitimate web site. The threat posed by this  
vulnerability is that the bogus window could collect information from the  
user and send it back to the malicious site.  
  
A fully supported patch is available for this vulnerability, and Microsoft  
recommends that all customers download and install it to protect their  
computers.  
  
Issue  
=====  
This vulnerability exists because Internet Explorer's cross domain  
protection does not extend to navigation of frames. This makes it possible  
for a malicious web site to insert content into a frame within another web  
site's window. If done properly, the user might not be able to tell that  
the frame contents were not from the legitimate site, and could be tricked  
into providing personal data to the malicious site. Non-secure (HTTP) and  
secure (HTTPS) sites are equally at risk from this vulnerability.  
  
While there have not been any reports of customers being adversely affected  
by these problems, Microsoft is releasing a patch to address any risks  
posed by this issue.  
  
Affected Software Versions  
==========================  
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01,  
4.01 Service Pack 1 for Windows 95  
- Microsoft Internet Explorer versions 4.01 Service  
Pack 1 for Windows 98  
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01,  
4.01 Service Pack 1 for Windows NT 4.0  
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01  
for Windows 3.1  
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01  
for Windows NT 3.51  
- Microsoft Internet Explorer versions 3.X, 4.X for Macintosh  
- Microsoft Internet Explorer version 4 for UNIX on HPUX  
- Microsoft Internet Explorer version 4 for UNIX on  
Sun Solaris  
  
No other products or versions of Internet Explorer are affected  
  
What Microsoft is Doing  
=======================  
Microsoft has released a patch that fixes the problem identified. This patch  
is available for download from the sites listed below in What Customers  
Should Do.  
  
Microsoft has sent this security bulletin to customers subscribing  
to the Microsoft Product Security Notification Service (see  
http://www.microsoft.com/security/services/bulletin.asp for more  
information about this free customer service).  
  
Microsoft has published the following Knowledge Base (KB) article on this  
issue:  
- Microsoft Knowledge Base (KB) article Q167614,  
Update Available For "Frame Spoofing" Security Issue,  
http://support.microsoft.com/support/kb/articles/q167/6/14.asp  
(Note: It might take 24 hours from the original posting of  
this bulletin for the updated KB article to be visible in  
the Web-based Knowledge Base.)  
  
What Customers Should Do  
========================  
Microsoft highly recommends that all affected customers download the updated  
patch to protect their computers. The complete URL for each affected  
software version is given below.  
  
NOTE: The patch for the "Frame Spoof" Vulnerability also includes two  
previously-released patches, for the "Untrusted Scripted Paste" and "Cross  
Frame Navigate" vulnerabilities. Customers who have not yet downloaded and  
installed these two patches need only download and apply the patch for the  
"Frame Spoof" Vulnerability. Customers who have applied either or both of  
patches should apply the patch for the "Frame Spoof" Vulnerability to  
ensure that they have the latest protection against all three  
vulnerabilities.  
  
Windows 98  
----------  
Windows 98 customers can obtain the updated patch using Windows Update. To  
obtain this patch using Windows Update, launch Windows Update from the  
Windows Start Menu and click "Product Updates." When prompted, select 'Yes'  
to allow Windows Update to determine whether this patch and other updates  
are needed by your computer. If your computer does need this patch, you will  
find it listed under the "Critical Updates" section of the page.  
  
Internet Explorer 3.X and 4.0  
-----------------------------  
Internet Explorer 3.X and 4.0 users must first upgrade to Internet  
Explorer 4.01 with Service Pack 1, which is available at  
http://www.microsoft.com/windows/ie/download/. After installing  
the upgrade, apply the Internet Explorer 4.01 patch as discussed below.  
  
Internet Explorer 4.01  
----------------------  
Customers using Internet Explorer 4.01 (with or without Service  
Pack 1) can obtain the patch from the Internet Explorer Security  
web site, (http://www.microsoft.com/windows/ie/security/spoof.asp).  
The patches for the Macintosh, HPUX and Solaris versions will be  
slightly delayed. When they are available, a notice will be posted  
on http://www.microsoft.com/ie/security/.  
  
More Information  
================  
Please see the following references for more information related to this  
issue.  
- Microsoft Security Bulletin 98-020, Patch Available for "Frame  
Spoof" Vulnerability (the Web-posted version of this bulletin),  
http://www.microsoft.com/security/bulletins/ms98-020.asp.  
- Microsoft Knowledge Base (KB) article Q167614,  
Update Available For "Frame Spoof" Security Issue,  
http://support.microsoft.com/support/kb/articles/q167/6/14.asp.  
  
Acknowledgements  
================  
Microsoft wishes to acknowledge Juan Carlos Garcia Cuartango of Spain for  
his continued assistance and input regarding variants of the Untrusted  
Scripted Paste Issue.  
  
Obtaining Support on this Issue  
===============================  
This is a supported patch. If you have problems installing  
this patch or require technical assistance with this patch,  
please contact Microsoft Technical Support. For information  
on contacting Microsoft Technical Support, please see  
http://support.microsoft.com/support/contact/default.asp.  
  
Revisions  
=========  
- December 23, 1998: Bulletin Created  
  
  
For additional security-related information about Microsoft products,  
please visit http://www.microsoft.com/security  
  
  
----------------------------------------------------------------------------  
  
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"  
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER  
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS  
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS  
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,  
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,  
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE  
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR  
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE  
FOREGOING LIMITATION MAY NOT APPLY.  
  
(c) 1998 Microsoft Corporation. All rights reserved. Terms of Use.  
  
*******************************************************************  
You have received this e-mail bulletin as a result of your registration  
to the Microsoft Product Security Notification Service. You may  
unsubscribe from this e-mail notification service at any time by sending  
an e-mail to [email protected]  
The subject line and message body are not used in processing the request,  
and can be anything you like.  
  
For more information on the Microsoft Security Notification Service  
please visit http://www.microsoft.com/security/bulletin.htm. For  
security-related information about Microsoft products, please visit the  
Microsoft Security Advisor web site at http://www.microsoft.com/security.  
`