Proactive IT Security
 

Internet Explorer 5 and Active Scripting

[Protection projects, Software advisories, Spreading mechanisms]

Security Information  Week 43, 1999

During the last weeks different security issues which involves Internet Explorer version 5 has been discovered. These have to do with the functionality in Microsoft Internet Explorer called Active Scripting.

To fully describe the vulnerabilities here, would extend beyond the scope of this Security Information. We refer to the links at the bottom of the page. In short the vulnerabilities have to do with this:

  • The "Download Behavior" Vulnerability which may enable a web page author to read a file on a computer connected to the Internet.  A patch is available when this is written.
  • The "IFRAME ExecCommand" Vulnerability which may enable a web page author to read files on a computer connected to the Internet by using a scripting command from a browser's sub-window started by the IFRAME HTML tag. This vulnerability also effects versions of Internet Explorer version 4.01 prior to Service Pack 2.  A patch is available when this is written. However, note that applying this IFRAME patch is supposed to make the system vulnerable to another issue - the Cross-Frame Navigation problem even if that patch is applied. A new patch is expected later.
  • The "JavaScript Redirect" Vulnerability which may enable a web page author to read files on a computer connected to the Internet. No patch is available when this is written. Microsoft recommends disabling Active Scripting as a workaround (see below).

Where patches are available, information about where to obtain these is the links to Microsoft's web at the end of this page.

The vulnerabilities mentioned above may be avoided by restricting the security settings in Internet Explorer. All of them uses the Active Scripting functionality, and disabling that would make the system secure to these security issues.

To disable Active Scripting when visiting web pages on the Internet, follow this procedure in Internet Explorer 5.0:

  1. Select the menu choice Tools | Internet Options
  2. Select the Security tab
  3. Highlight the Internet zone and click the Custom Level button
  4. Scroll down in the list to the Scripting heading and choose Disable for the Active scripting subheading.
  5. Confirm the selection by clicking the OK buttons twice.

Note that this may have as a side effect that web pages that rely on Active Scripting functionality may not be seen as the author intended.

No doubt the many vulnerabilities involving Active Scripting will encourage heavy investigation into other aspects which is available from the use of Active Scripting. Probably this will result in new vulnerabilities being discovered. One may consider if turning off Active Scripting permanently in Internet Explorer is the best option for those security conscious; even when patches are available for all published vulnerabilities.

Information from Microsoft regarding the vulnerabilities discussed in this Security Information may be obtained from the links below. All these Security Bulletins have links to corresponding Frequently Asked Questions which definitely are worth reading for those interested in more detailed information.

Per Olav Førland