Vulnerability Note VU#328163
Microsoft Windows XMLHTTP component allows remote access to local data sources
The Microsoft XMLHTTP ActiveX control allows unauthorized reading of any known file on a system. A victim must be enticed to visit a malicious site in order to be attacked.
Description (from MS02-008):
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
It would not be possible to exploit this vulnerability
via HTML mail.
- The attacker would need to know the full path and file name
of a file in order to read it.
A remote attacker who can entice a victim to visit a malicious web site can read any file the user can. Note this vulnerability is not believed to allow file modification (no file writing, inserting, or deleting).
Apply the patches found in MS02-008.
To download MSXML 4.0 Service Pack 1, visit the following Microsoft Web site:
If you have only Msxml.dll, you do not need the patch because this is an earlier, unaffected version.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||02 Oct 2002|
CVSS Metrics (Learn More)
This document was written by Jeffrey S. Havrilla based on information provided by Microsoft.
- CVE IDs: CAN-2002-0057
- Date Public: 17 Dec 2001
- Date First Published: 01 Oct 2002
- Date Last Updated: 02 Oct 2002
- Severity Metric: 10.40
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.