Updated:  October 02, 2002

Status

Affected

Vendor Statement

Please see MS02-008: http://www.microsoft.com/technet/security/bulletin/ms02-008.asp

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Title: XMLHTTP Control Can Allow Access to Local Files Date: 21 February 2002 Software: Microsoft XML Core Services Impact: Information disclosure Max Risk: Critical Bulletin: MS02-008 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-008.asp. Issue: Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources. A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site. An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, this vulnerability does not give an attacker any ability to add, change or delete data. Mitigating Factors: - The vulnerability can only be exploited via a web site. It would not be possible to exploit this vulnerability via HTML mail. - The attacker would need to know the full path and file name of a file in order to read it. - The vulnerability does not provide any ability to add, change, or delete files. Risk Rating: - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Critical Patch Availability: - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-008.asp for information on obtaining this patch. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPHWQL40ZSRQxA/UrAQEbFwf+IpIT14BtaOo2dJfsDKfs/257rCbbfLDj FifMpUUC0AZXhcVGngqLtfZxwXpfx7TYjTKfXGocIBxzyBoJzfUBRdXoCgL5N5Zi sQmYP5dI9KWOJwaOnd5fYWYvFrV0rR136B+iMvoFROMp8opnZwGXuB5IGr8AX/u3 i/uQknvpQpaGwdeHw63QVHvbDpUgM5HzznT7rjheNc41Cy45q9uFYd8dxCTdRgFy z2WwrybmFKrUS6W0tGxRxqSqoiW1MBcPGygp5EZhklrLjPjXk8HyW997uIfFDhF1 s6BSqho49Al5QIGb5UPOL2EFXs5xDTvXkeIWNX+JIPzIpXfDauXR3Q== =ZiZW -----END PGP SIGNATURE-----