[26876] in bugtraq
Re: IE bug not fixed - update
daemon@ATHENA.MIT.EDU (Sanford Olson)
Fri Aug 30 13:50:29 2002
Message-ID: <000401c24fbf$78928010$3f00000a@SKEETER2>
From: "Sanford Olson" <sanford@scootersoftware.com>
To: "Brian Taylor" <brian@socnet.freeserve.co.uk>, <bugtraq@securityfocus.com>
Date: Thu, 29 Aug 2002 19:52:04 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Brian,
You probably have multiple versions of MSXML on your system. You need to
patch each one independently.
From the FAQ part of the Microsoft Security Bulletin MS02-008....
"MSXML is installed as a .dll in the system32 subdirectory of the Windows
operating system directory. On most systems, this will likely be c:\windows
or c:\winnt. If you have any or all of the following files in the system32
directory, then you need to apply the appropriate patch or patches:
a.. MSXML2.DLL
b.. MSXML3.DLL
c.. MSXML4.DLL
There is a separate patch for each of the DLLs listed above. If you only
have MSXML.DLL then you do not need to apply a patch because this is an
earlier, unaffected version."
----- Original Message -----
From: "Brian Taylor" <brian@socnet.freeserve.co.uk>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, August 27, 2002 1:57 AM
Subject: IE bug not fixed - update
> Microsoft Baseline security analyser shows a red cross against "MS02-008,
> XMLHTTP Control Can Allow Access to Local Files" on both my systems, and
> this is backed up by the exploit
http://jscript.dk/Jumper/xploit/xmlhttp.asp
> is working on both my systems despite reapplying the required patch many
> times in the past and then installing the latest IE patch that should also
> of fixed it.
>
>
> > The bug shown on the following pages is not fixed
> >
> > http://online.security.com/bid/3699
> >
> > I have 2 computers running Win XP Pro & IE6, both systems have all =
> > updates installed via the Windows Update including Q323759: August, 2002
=
> > Cumulative Patch for Internet Explorer 6 (Windows XP), installed on 23 =
> > Aug 02.
> >
> > Yet the page http://jscript.dk/Jumper/xploit/xmlhttp.asp still allows =
> > local file reading on both computers, which was ment to be patched in =
> > MS02-008.
> >
> > If you need any details, computer config, dll versions etc just drop me
=
> > a mail and I will get you detailed compuer hardware and software info.
> > Can you confirm the existance of this bug on your test systems.
> >
> > Thanks
> > Brian
