Microsoft Corporation Information for VU#980499

Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML

Status

Affected

Vendor Statement

Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment") related to this issue at:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

A patch is available for this issue at:
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

Note: The above patch has been supserseded by the IE 5.5 patches discussed in MS01-027. A cumulative patch for this and other vulnerabilities is discussed in MS02-023.

IE 6 is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

As noted in the MS01-020 Caveats section of the advisory, end users must apply this patch to supported versions of Microsoft's browser. This means IE must upgrade to IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1 users must apply this patch. Users of IE who have not previously upgraded will receive an incorrect message stating that they do not need to apply this patch. Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which has this patch incorporated in it).

From MS01-020:

Caveats:
If the patch is installed on a system running a version of IE other
than the one it is designed for, an error message will be displayed
saying that the patch is not needed. This message is incorrect, and
customers who see this message should upgrade to a supported version
of IE and re-install the patches.

If you have feedback, comments, or additional information about this vulnerability, please send us email.