[24270] in bugtraq
Update on the MS02-005 patch, holes still remain
daemon@ATHENA.MIT.EDU (Thor Larholm)
Thu Feb 14 01:35:35 2002
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD0E6@mailsrv1.jubii.dk>
From: Thor Larholm <Thor@jubii.dk>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Tue, 12 Feb 2002 15:25:11 +0100
MIME-Version: 1.0
Content-Type: text/plain
Now that the MS02-005 patch has finally been officially released (and
updated to patch even more holes), it is time to take a look at what
vulnerabilities that remain (what it did patch can be read in the bulletin).
From the security bulletin (located at
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp ), we find
the following phrases:
"eliminates all previously discussed security vulnerabilities affecting IE
5.01, 5.5 and IE 6." and "eliminates all known security vulnerabilities
affecting Internet Explorer 5.01, 5.5 and 6.0."
I would like to take the opportunity to point out that the above is not
true. 2 critical vulnerabilities are still remaining.
1. codebase localpath
Allows execution of arbitrary commands.
Publicly known since January 10th 2002.
Severity: Critical.
2. XMLHTTP
Allows reading of local files.
Publicly known since December 15th 2001.
Severity: Critical for homeusers.
Notice:
The XMLHTTP vulnerability only affects client systems (home users), as this
IS fixed for NT4/Win2000 users through (among others) the "Windows 2000
Security Rollup Package, January, 2002". Microsoft needs to distribute the
updated, and secure, XMLHTTP packages to homeusers (Windows 95/98/etc.)
since they are still vulnerable and anyone can still read their local files.
The "GetObject localfile reading" which was patched in MS02-005 was
classified as being "Critical" for "Client Systems". The XMLHTTP
vulnerability still allows a malicious programmer to do the same.
To find out wether you are vulnerable or not, visit
http://jscript.dk/unpatched/
Finally, I would like to point out that Microsoft still has done a great job
in patching a lot of holes with this cumulative patch. Had they told the
public about the amount of holes that they were patching, I am sure we would
have understood the appareantly slow reaction somewhat better.
Regards
Thor Larholm
Jubii A/S - Internet Programmer
