DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 976949 - Last Review: July 1, 2010 - Revision: 4.0

INTRODUCTION

Cumulative security update for Internet Explorer 974455 (described in MS09-054 (http://www.microsoft.com/technet/security/bulletin/MS09-054.mspx) ) introduced additional "Type" safety checks into various methods to address identified security vulnerabilities. Under certain scenarios, these new type safety checks can result in "Type Mismatch" script errors in Web pages that use VBScript or in Web pages that use a mixture of VBScript and JavaScript.

For more information about MS09-054, click the following article number to view the article in the Microsoft Knowledge Base:
974455  (http://support.microsoft.com/kb/974455/ ) MS09-054: Cumulative security update for Internet Explorer

SYMPTOMS

Web pages that use VBScript as the client-side scripting language and that use the showModalDialog() or the showModelessDialog() methods may encounter a "Type Mismatch" script error. Microsoft has identified the following three scenarios in which a "Type Mismatch" script error could be generated:
  • showModalDialog()
    The first scenario involves passing an Array() value as a parameter to the showModalDialog() method in VBScript. The showModalDialog() method supports one required argument (sURL) and two optional arguments (vArguments and sFeatures). The vArguments parameter is a VARIANT Type parameter that specifies the arguments to use when displaying the document. If a developer decides to pass an Array() directly to the optional vArguments parameter, a "Type Mismatch" script error will occur.

    For more information about the showModalDialog method, visit the following Microsoft MSDN Web page:
    http://msdn.microsoft.com/en-us/library/ms536759(VS.85).aspx (http://msdn.microsoft.com/en-us/library/ms536759(VS.85).aspx)
  • showModelessDialog()
    The second scenario involves passing an Array() value as a parameter to the showModelessDialog() method in VBScript. The showModelessDialog() method supports one required argument (sURL) and two optional arguments (vArguments and sFeatures). The vArguments parameter is a VARIANT Type parameter that specifies the arguments to use when displaying the document. If a developer decides to pass an Array() directly to the optional vArguments parameter, a "Type Mismatch" script error will occur.

    For more information about the showModelessDialog method, visit the following Microsoft MSDN Web page:
    http://msdn.microsoft.com/en-us/library/ms536761(VS.85).aspx/PathLink> (http://msdn.microsoft.com/en-us/library/ms536761(VS.85).aspx)
  • returnValue
    The third scenario involves the explicit setting of the returnValue property of a Modal Dialog window. The returnValue property is a read/write property that has no default value. According to documentation on MSDN, the returnValue property applies only to those windows created with the showModalDialog() method. If a developer decides to explicitly set the returnValue property of a Modal Dialog window to an Array() value in VBScript, a "Type Mismatch" script error will occur.

    For more information about the return Value property, visit the following Microsoft MSDN Web page:
    http://msdn.microsoft.com/en-us/library/ms534371(VS.85).aspx (http://msdn.microsoft.com/en-us/library/ms534371(VS.85).aspx)
Currently, Microsoft has not observed "Type Mismatch" script errors arising from cumulative security update 974455 in Web pages that use JavaScript as their sole client-side scripting language. Only Web pages that use the showModalDialog() method, the showModelessDialog() method, or the returnValue property within VBScript seem to be affected. If the Web page contains a mixture of both VBScript and JavaScript, it may be affected if the Web page uses the methods or properties that were discussed earlier within VBScript or if the Web page uses the VBArray object. Use of the VBArray object is uncommon, and scenarios that involve VBArray will not be covered by this Knowledge Base article.

CAUSE

Cumulative security update for Internet Explorer MS09-054 (http://www.microsoft.com/technet/security/bulletin/MS09-054.mspx) was released to address identified security vulnerabilities in Internet Explorer. As part of the cumulative security update, Internet Explorer introduced new checks against unintended casting of VARIANT Type parameters into dangerous data types. The additional security checks impose additional security restraints on VARIANT Type parameters that are being passed as part of user-controlled variables in order to protect the user from certain kinds of attacks. These additional checks may affect legitimate browsing scenarios that use VARIANT data types.

RESOLUTION

To resolve this problem, install update 976749 after you install security update 974455. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
976749  (http://support.microsoft.com/kb/976749/ ) An update is available for Internet Explorer that resolves issues that occur after you apply security update 974455 (MS09-054)

Important Do not install update 976749 if you have not installed security update 974455. If you install update 976749 without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall update 976749, install security update 974455, and then reinstall update 976749.

WORKAROUND

We recommend that you continue to apply cumulative security update 974455 and that you install update 976749 if you experience the symptoms that are described in this article. Customers who decide to remove the cumulative security update will put their systems at risk.

For the first and second scenarios that are discussed in the "Symptoms" section, you can implement a workaround if you do not want to install security update 974455. To work around the issue, explicitly declare the Array() variable into a VBScript variable. Arrays can be passed to the showModalDialog() or the showModelessDialog() methods without a "Type Mismatch" script error.

For example, the following VBScript will cause a "Type Mismatch" script error.
// TYPE MISMATCH
vReturn = window.showModalDialog("http://www.contoso.com", Array(1,2,3,4,5,6,7))
The following VBScript will pass an array to the showModialDialog() or showModelessDialog() methods without a "Type Mismatch" script error.
// NO TYPE MISMATCH ERROR
Dim myArray
myArray=Array(1,2,3,4,5,6,7)
vReturn = window.showModalDialog("http://www.contoso.com", myArray)
For the third scenario that was discussed earlier, you can implement a workaround if you do not want to install security update 974455. To work around the issue in scenarios where a single dimension Array() value is passed to the returnValue property, use the Join and Split VBScript functions. This lets you pass Array() values to the returnValue property.

For example, the following VBScript generates a "Type Mismatch" script error.

// TYPE MISMATCH
Dim arrayItems
arrayItems(0) = 1
arrayItems(1) = 2
arrayItems(2) = 3
Window.returnvalue = arrayItems
When you use the Join and Split VBScript functions, you can set the returnValue property without generating a "Type Mismatch" script error.

// NO TYPE MISMATCH ERROR
Dim arrayItems
arrayItems(0) = 1
arrayItems(1) = 2
arrayItems(2) = 3

Dim arrString = Join(arrayItems, ";")
Window.returnvalue = arrString
Dim strTemp = window.showModalDialog(……)
Dim arrayItems = Split(strTemp, ";")

For the third scenario that was discussed earlier, where multidimensional Array() values or Array() values that have objects are passed to the returnValue property, you can implement a workaround if you do not want to install security update 974455. To work around the issue in this scenario, you can use a JavaScript function to set the returnValue property. This JavaScript function is available to VBScript subroutines and functions. Any returnValue property value that is set by a JavaScript function will be available to VBScript.

For example, the following VBScript generates a "Type Mismatch" script error.
// TYPE MISMATCH
<script LANGUAGE=vbscript>
Option Explicit
Sub Window_OnLoad
Dim abc(1,2,3)
Window.ReturnValue = abc
End Sub
</script>
Using a JavaScript function together with an existing VBScript lets you set the returnValue property without generating a "Type Mismatch" script error.
// NO TYPE MISMATCH ERROR
<script Language=JavaScript>
function setReturnValue(){
var returnValueArray= new Array();
returnValueArray[0] = 1;
returnValueArray[1] = 2;
returnValueArray[2] = 3;
window.returnValue = returnValueArray;
}
</script>

<script LANGUAGE=vbscript??
Option Explicit

Sub Window_OnLoad
setReturnValue()
msgbox window.returnValue
End Sub
</script>

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.

APPLIES TO
  • Windows Internet Explorer 8, when used with:
    • Windows Server 2008 Datacenter without Hyper-V
    • Windows Server 2008 Enterprise without Hyper-V
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Standard without Hyper-V
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
    • Windows Server 2008 R2 Datacenter
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Standard
    • Windows Web Server 2008 R2
    • Windows 7 Enterprise
    • Windows 7 Home Basic
    • Windows 7 Home Premium
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Windows Internet Explorer 7, when used with:
    • Windows Server 2008 Datacenter without Hyper-V
    • Windows Server 2008 Enterprise without Hyper-V
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Standard without Hyper-V
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
    • Windows Server 2008 R2 Datacenter
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Standard
    • Windows Web Server 2008 R2
    • Windows 7 Enterprise
    • Windows 7 Home Basic
    • Windows 7 Home Premium
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Internet Explorer 5.01 Service Pack 4, when used with:
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
  • Microsoft Security Essentials
Keywords: 
kbcode kbtshoot kbbug kbexpertiseinter kbsecurity kbsecvulnerability kbsurveynew KB976949
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support