Update Available For "Frame Spoof" Security Issue

ID: Q167614

The information in this article applies to:

Microsoft Internet Explorer versions 3.0, 3.01, 3.02, 4.0, 4.01, 4.01 Service Pack 1, 5 for Windows 95
Microsoft Internet Explorer versions 3.0, 3.01, 3.02, 4.0, 4.01, 4.01 Service Pack 1, 5 for Windows NT 4.0
Microsoft Internet Explorer version 5 for Windows 98
Microsoft Windows 98
Microsoft Internet Explorer versions 4.0, 4.01 for Windows 3.1
Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 3.51
Microsoft Internet Explorer version 4.01 for UNIX on HPUX
Microsoft Internet Explorer version 4.01 for UNIX on Sun Solaris
Microsoft Internet Explorer versions 4.0, 4.01 for Macintosh

SUMMARY

Microsoft has made an update available that addresses a potential security issue with regard to the use of frames in Internet Explorer. Additional information about this issue is available from the following Microsoft Web sites:

Updates are available for the following products:

Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows 95
Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows NT 4.0 (Alpha and x86)
Microsoft Windows 98
Microsoft Internet Explorer 4.01 for Windows 3.1
Microsoft Internet Explorer 4.01 for Windows NT 3.51

This issue may enable a malicious Web site operator to mimic a legitimate Web site by inserting a window as a frame within the legitimate Web site's window. Microsoft has not received any reports of adverse effects as a result of this issue.

This update also fixes the "Untrusted Scripted Paste" and "Cross Frame Navigate" issues in Microsoft Internet Explorer 4.01 and 4.01 Service Pack 1 running on Windows operating systems. Additional information is available at the following Microsoft Web site:

http://www.microsoft.com/windows/ie/security/default.asp

After installing this update, "3214" is added to the "Update versions" line when you click About Internet Explorer on the Help menu.

NOTE: Internet Explorer 5 automatically includes protection against the "Frame Spoof" vulnerability at High security. To enable this protection in Internet Explorer 5 without using a High security setting, use the following steps:

1. Click Start, point to Settings, click Control Panel, and then double-

   click Internet.

2. Click the Security tab.

3. Under "Select a Web content zone to specify its security settings,"

   click Internet.

4. Click Custom Level.

5. Under "Navigate sub-frames across different domains," click Disable.

6. Click OK.

MORE INFORMATION

Update Information by Product:

WARNING: This Frame Spoof patch may affect programs that host WebBroswer controls. Microsoft recommends you not install this patch if your program is affected.

NOTE: If you are using Internet Explorer 3.x or 4.0, you must install Internet Explorer 4.01 in order to apply this update. You can install Internet Explorer 4.01 with Service Pack 1 from the following Microsoft Web site:

   http://www.microsoft.com/windows/ie/download

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows 95:

   Update File Name:  3214.exe
   Availability:      http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2422032        12/19/98   4.72.3612.1700

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 x86:

   Update File Name:  3214.exe
   Availability:      http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2421520        12/19/98   4.72.3612.1700

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 Alpha:

   Update File Name:  3214a.exe
   Availability:      http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           3948304        12/19/98   4.72.3612.1700

Windows 98:

   Update File Name:  3214.exe
   Availability:      Microsoft Windows Update

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2422832        12/19/98   4.72.3612.1700

Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51:

   Update File Name:  3214.exe
   Availability:      http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   ------------------------------------------------------------
   Mshtml16.dll         3086400        12/21/98   4.1.2512.2100

NOTE: After applying this update, cross-frame navigation will be permitted only in the following cases:

1. You own the frame (ownership is defined as being the direct parent).

2. You are in the same domain as the owner of the frame.

   -or-

3. The frame is a top-level window (applies to "target=" cases).

Also, after applying this update, you may receive the following error message when loading a Web page that contains the potential security issue:

   Internet Explorer Script Error
   An error has occurred in the script on this page.

     Line:  <line number>
     Char:  <character number>
     Error: Permission denied
     Code:  <code number>

   Do you want to continue running scripts on this page?

Additional query words:

Keywords          : msiew95 msient msiew31 msiemac msieunix win98 ie4sp1 msiew98 
Version           : WINDOWS:
Platform          : WINDOWS
Issue type        : kbinfo

Last Reviewed: April 27, 1999