Microsoft Internet Explorer Web Folder Behaviors Cross-Domain Scripting Vulnerability



Date Discovered

August 9, 2005


Microsoft Internet Explorer is prone to a security vulnerability that may let a Web page execute malicious script code in the context of an arbitrary domain or browser security zone. This issue is the result of a security flaw in the browser security model when handling URIs when a Web folder view is rendered. If exploited to access a foreign domain, this could allow script code embedded in a malicious Web page to access the properties of another site that the victim of the attack may trust. This would likely be exploited to steal credentials or sensitive information from the victim. The issue could also be exploited to execute arbitrary code by running malicious script code in a browser security zone with lowered security settings, such as the Local Machine, Trusted Sites or Intranet zone. Code execution would occur in the context of the currently logged in user.

Technologies Affected

  • Microsoft Internet Explorer 5.0.1
  • Microsoft Internet Explorer 5.0.1 SP1
  • Microsoft Internet Explorer 5.0.1 SP2
  • Microsoft Internet Explorer 5.0.1 SP3
  • Microsoft Internet Explorer 5.0.1 SP4
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 SP1
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1
  • Microsoft Internet Explorer 6.0 SP2 do not use


Run all software as a nonprivileged user with minimal access rights.
All non-administrative tasks, such as browsing the Web and reading email, should be performed as an unprivileged user with minimal access rights.

Do not follow links provided by unknown or untrusted sources.
Users should avoid visiting Web sites of questionable integrity or following links provided by an unfamiliar or untrusted source.

Set web browser security to disable the execution of script code or active content.
Disabling support for scripting and active content in the Internet Zone may limit exposure to this and other vulnerabilities.

Microsoft has released fixes to address supported versions of the software. Fixes for Internet Explorer on Windows 98/98SE/ME may be obtained through Windows Update. Microsoft has updated the security bulletin for this issue to reflect the availability of updated fixes. This is due to an issue with Systems Management Server (SMS) and the original fixes. Users who updated using Automatic Update, Windows Update, Microsoft Update, and Windows Server Update Services (WSUS) do not need to re-apply the fixes.



This issue was announced by Microsoft.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.