Microsoft Security Bulletin MS00-037 announces the availability of a patch that eliminates a vulnerability in the HTML Help facility that ships as part of Microsoft Internet Explorer. Under certain conditions, the vulnerability could allow a malicious web site operator to run code on the computer of a visiting user.
What's the scope of the vulnerability?
This vulnerability could allow a malicious web site operator to cause code to execute on the computer of a user who visited the site. Such code could take any action that the user himself could take, including but not limited to creating, changing or deleting data, or communicating with an external web site.
In order to exploit this vulnerability, the malicious user would need to place an HTML help file in a location accessible to the visitor´s machine. Because of this, customers behind a properly-configured firewall would typically not be at risk. Even customers who are not behind a firewall would not be at risk, if they have used the Security Zones feature in Internet Explorer to disable Active Scripting for untrusted web sites.
Download for Windows NT 4.0 & Windows 9x
Download for Windows 2000
What's the scope of the vulnerability?
This vulnerability could allow a malicious web site operator to cause code to execute on the computer of a user who visited the site. Such code could take any action that the user himself could take, including but not limited to creating, changing or deleting data, or communicating with an external web site.
In order to exploit this vulnerability, the malicious user would need to place an HTML help file in a location accessible to the visitor´s machine. Because of this, customers behind a properly-configured firewall would typically not be at risk. Even customers who are not behind a firewall would not be at risk, if they have used the Security Zones feature in Internet Explorer to disable Active Scripting for untrusted web sites.
Download for Windows NT 4.0 & Windows 9x
Download for Windows 2000