Microsoft Security Bulletin MS98-020 - Critical
Patch Available for 'Frame Spoof' Vulnerability
Published: December 23, 1998 | Updated: May 16, 2003
Originally Posted: December 23, 1998
Updated: May 16, 2003
Microsoft has released a patch that fixes a vulnerability in Microsoft® Internet Explorer® that could allow a malicious web site operator to impersonate a window on a legitimate web site. The threat posed by this vulnerability is that the bogus window could collect information from the user and send it back to the malicious site.
A fully supported patch is available for this vulnerability, and Microsoft recommends that all customers download and install it to protect their computers.
This vulnerability exists because Internet Explorer's cross domain protection does not extend to navigation of frames. This makes it possible for a malicious web site to insert content into a frame within another web site's window. If done properly, the user might not be able to tell that the frame
contents were not from the legitimate site, and could be tricked into providing personal data to the malicious site. Non-secure (HTTP) and secure (HTTPS) sites are equally at risk from this vulnerability.
While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to address any risks posed by this issue.
Affected Software Versions
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service
- Pack 1 for Windows 95
- Microsoft Internet Explorer versions 4.01 Service Pack 1 for Windows 98
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service
- Pack 1 for Windows NT 4.0
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01 for Windows 3.1
- Microsoft Internet Explorer versions 3.X, 4.0, 4.01 for Windows NT 3.51
- Microsoft Internet Explorer versions 3.X, 4.X for Macintosh
- Microsoft Internet Explorer version 4 for UNIX on HPUX
- Microsoft Internet Explorer version 4 for UNIX on Sun Solaris
- No other products or versions of Internet Explorer are affected
Vulnerability Identifier: CVE-1999-0869
What Microsoft is Doing
Microsoft has released a patch that fixes the problem identified. This patch is available for download from the sites listed below in What Customers Should Do.
Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.
Microsoft has published the following Knowledge Base (KB) article on this issue:
Microsoft Knowledge Base (KB) article 167614, Update Available For "Frame Spoofing" Security Issue, http://support.microsoft.com/default.aspx?scid=kb;en-us;167614&sd=tech
(Note It might take 24 hours from the original posting of this bulletin for the updated KB article to be visible in the Web-based Knowledge Base.)
What customers should do
Microsoft highly recommends that all affected customers download the updated patch to protect their computers. The complete URL for each affected software version is given below.
Note The patch for the "Frame Spoof" Vulnerability also includes two previously-released patches, for the Untrusted Scripted Paste" and "Cross Frame Navigate" vulnerabilities. Customers who have not yet downloaded and installed these two patches need only download and apply the patch for the "Frame Spoof" Vulnerability. Customers who have applied either or both of patches should apply the patch for the "Frame Spoof" Vulnerability to ensure that they have the latest protection against all three vulnerabilities.
Windows 98 customers can obtain the updated patch using Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click "Product Updates." When prompted, select 'Yes' to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the "Critical Updates" section of the page.
Internet Explorer 3.X and 4.0
Internet Explorer 3.X and 4.0 users must first upgrade to Internet Explorer 4.01 with Service Pack 1, which is available at http://www.microsoft.com/windows/downloads/ie/getitnow.mspx. After installing the upgrade, apply the Internet Explorer 4.01 patch as discussed below.
Internet Explorer 4.01
Customers using Internet Explorer 4.01 (with or without Service Pack 1) can obtain the patch from the Internet Explorer Security web site, (http://www.microsoft.com/technet/security/patchavailability.mspx). The patches for the Macintosh, HPUX and Solaris versions will be slightly delayed. When they are available, a notice will be posted on http://www.microsoft.com/windows/ie/security/.
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin 98-020, Patch Available for "Frame Spoof" Vulnerability (the Web-posted version of this bulletin), http://www.microsoft.com/technet/security/bulletin/ms98-020.mspx.
- Microsoft Knowledge Base (KB) article 167614, Update Available For "Frame Spoof" Security Issue, http://support.microsoft.com/default.aspx?scid=kb;en-us;167614&sd=tech.
Microsoft wishes to acknowledge Dr. Richard Reiner of SecureXpert Labs for discovering the Frame Spoof vulnerability, and Juan Carlos Garcia Cuartango of Spain for his continued assistance and input regarding variants of the Untrusted Scripted Paste Issue.
Obtaining Support on this Issue
This is a supported patch. If you have problems installing this patch or require technical assistance with this patch, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/contactussupport/?ws=support.
- December 23, 1998: Bulletin Created
- V2.0 (May 16, 2003): Introduced versioning and updated patch availability information.
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00