DOCUMENT:Q218619 20-MAY-2002 [winnt] TITLE :Taskpads Let Web Sites Invoke Executables on a User's Computer PRODUCT :Microsoft Windows NT PROD/VER:WINDOWS:; winnt:4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows 98 - Microsoft BackOffice Server 4.0 ------------------------------------------------------------------------------- SYMPTOMS ======== Taskpads is a feature that allows users to view and run Windows management tools through an HTML page rather than the Windows control. A vulnerability has been discovered in Taskpads that lets Web sites invoke executables on a user's workstation. CAUSE ===== This vulnerability results because certain methods provided by Taskpads are incorrectly marked as "safe for scripting." RESOLUTION ========== A patch is available for this issue that removes the Taskpads functionality, which is rarely used. A supported fix that corrects this problem is now available from Microsoft, but has not been fully regression tested and should be applied only to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends you apply this fix. To resolve this problem immediately, obtain the fix as described below. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS Windows 98 Resource Kit and Windows 98 Resource Kit Sampler ----------------------------------------------------------- This patch has been posted to the following Internet location: ftp://ftp.microsoft.com/reskit/win98/taskpads/ BackOffice Resource Kit, Second Edition --------------------------------------- This patch has been posted to the following Internet locations: x86: ftp://ftp.microsoft.com/reskit/nt4/x86/taskpads/ Alpha: ftp://ftp.microsoft.com/reskit/nt4/alpha/taskpads/ STATUS ====== Microsoft has confirmed this problem could result in some degree of security vulnerability in Taskpads included with the Windows 98 Resource Kit, the Windows 98 Resource Kit Sampler, and the BackOffice Resource Kit, second edition. MORE INFORMATION ================ Taskpads is included with: - Microsoft Windows 98 Resource Kit - Microsoft Windows 98 Resource Kit Sampler (included as part of Windows 98 but not installed by default) - Microsoft BackOffice Resource Kit, second edition Additional query words: 4.00 98 95 rkit reskit ms99-007 Patch Available for TaskPad Scripting Vulnerability ====================================================================== Keywords : Technology : kbAudDeveloper kbWin98search kbBackOfficeSearch kbWin98 kbBackOfficeServ400 Version : WINDOWS:; winnt:4.0 Hardware : ALPHA x86 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.