Update Available for Window.External JScript Security Issue

ID: Q191200

The information in this article applies to:

Microsoft Internet Explorer versions 4.0, 4.01 for Windows 95
Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 4.0
Microsoft Windows 98

SUMMARY

Microsoft has made an update available to Microsoft Scripting Engines version 3.1 that addresses an issue regarding the way Internet Explorer handles very long strings with the Window.External JScript function. Additional information about this issue is available on the following Microsoft Web sites:


   <LINK TYPE="GENERIC" VALUE="http://www.microsoft.com/ie/security/jscript.htm">http://www.microsoft.com/ie/security/jscript.htm</LINK>
   <LINK TYPE="GENERIC" VALUE="http://www.microsoft.com/security/bulletins/ms98-011.asp">http://www.microsoft.com/security/bulletins/ms98-011.asp</LINK>

Updates are available for the following products:

Microsoft Internet Explorer 4.0, 4.01, and 4.01 Service Pack 1 for Windows 95 and Windows NT 4.0

Microsoft Windows 98

Internet Explorer 4.0 and 4.01 for Windows 3.1, Windows NT 3.51, Macintosh, and UNIX on Sun Solaris are not affected by this problem. Internet Explorer version 3.x is also not affected.

This issue can cause Internet Explorer to quit unexpectedly when you view a Web page that contains a script written in JScript that uses the Window.External function with a very long string. It is difficult but possible for an individual to cause malicious code to be run on your computer as a result of this problem. There have not been any reports of customers being affected by this problem.

MORE INFORMATION

This update installs the files listed below.

Microsoft Internet Explorer 4.0, 4.01, 4.01 Service Pack 1, and 4.01 Service Pack 2 for Windows 95 and Windows NT 4.0 on Intel x86 platforms:


   Update file name:  Scr31en.exe


   Available at:      <LINK TYPE="GENERIC" VALUE="http://www.microsoft.com/ie/security">http://www.microsoft.com/ie/security</LINK>


   Updated file name    Size (bytes)   Date       Version
   ---------------------------------------------------------
   Jscript.dll          484,624        7-2-98     3.1.0.3101
   Vbscript.dll         335,120        7-2-98     3.1.0.3101
   Dispex.dll            53,520        7-2-98     3,1,0,3101
   Scrrun.dll           172.816        7-2-98     3.1.0.3101

Microsoft Internet Explorer 4.0, 4.01, 4.01 Service Pack 1, and 4.01 Service Pack 2 for Windows NT 4.0 on Alpha platforms:


   Update file name:  Scr31en.exe


   Available at:      <LINK TYPE="GENERIC" VALUE="http://www.microsoft.com/ie/security">http://www.microsoft.com/ie/security</LINK>


   Updated file name    Size (bytes)   Date       Version
   ---------------------------------------------------------
   Jscript.dll          811,844        7-2-98     3.1.0.3101
   Vbscript.dll         595,269        7-2-98     3.1.0.3101
   Dispex.dll           120,643        7-2-98     3,1,0,3101
   Scrrun.dll           265,027        7-2-98     3.1.0.3101

Windows 98:


   Update file name:  Scr31en.exe


   Available at:      Microsoft Windows Update Web site

(http://windowsupdate.microsoft.com/)


   Updated file name    Size (bytes)   Date       Version
   ---------------------------------------------------------
   Jscript.dll          484,624        7-2-98     3.1.0.3101
   Vbscript.dll         335,120        7-2-98     3.1.0.3101
   Dispex.dll            53,520        7-2-98     3,1,0,3101
   Scrrun.dll           172.816        7-2-98     3.1.0.3101

NOTE: Version 4.0 (included with Microsoft Visual Studio 6.0) or 5.0 (Beta version available for download) of the Microsoft Scripting Engines are not affected by this problem. If you attempt to install this update over version 4.x or 5.x of the Scripting Engines, you receive the following version conflict messages for each of the four files listed above:

NOTE: You should click Yes (keep your existing file) in Windows 95/98 and No (do not overwrite the newer file) in Windows NT.

For Windows 95/98:


   Version Conflict
   A file being copied is older than the file currently on your
   computer. It is recommended that you keep your existing file.


   Filename: &lt;filename&gt;
   Description: &lt;description&gt;
   Your version: x.x.x.xxxx.


   Do you want to keep this file?

For Windows NT:


   Confirm File Replace
   Source: &lt;path&gt;
   Target: &lt;path&gt;


   The target file exists and is newer than the source. Overwrite the
   newer file?

Reducing Your Risk If You Cannot Apply the Patch

If you are unable to apply the patch, you can reduce your risk of being affected by this problem by disabling Active Scripting in Internet Explorer. To do this, follow these steps:

Click Start, point to Settings, and then click Control Panel.

Double-click Internet, and then click the Security tab.

In the Zone box, click Internet Zone.

Click Custom (For Expert Users), and then click Settings.

Under Scripting, click Disable in the Active Scripting section.

Click OK.

In the Zone box, click Restricted Sites Zone.

Repeat steps 4-6.

Click OK.

Additional query words:


Keywords          : msiew95 msient msieunix win98 
Version           : WINDOWS:
Platform          : WINDOWS 
Issue type        : kbinfo

Last Reviewed: April 2, 1999