Bugtraq mailing list archives
Re: IE bug not fixed - update
From: "Sanford Olson" <sanford () scootersoftware com>
Date: Thu, 29 Aug 2002 19:52:04 -0500
Brian, You probably have multiple versions of MSXML on your system. You need to patch each one independently.
From the FAQ part of the Microsoft Security Bulletin MS02-008....
"MSXML is installed as a .dll in the system32 subdirectory of the Windows operating system directory. On most systems, this will likely be c:\windows or c:\winnt. If you have any or all of the following files in the system32 directory, then you need to apply the appropriate patch or patches: a.. MSXML2.DLL b.. MSXML3.DLL c.. MSXML4.DLL There is a separate patch for each of the DLLs listed above. If you only have MSXML.DLL then you do not need to apply a patch because this is an earlier, unaffected version." ----- Original Message ----- From: "Brian Taylor" <brian () socnet freeserve co uk> To: <bugtraq () securityfocus com> Sent: Tuesday, August 27, 2002 1:57 AM Subject: IE bug not fixed - update
Microsoft Baseline security analyser shows a red cross against "MS02-008, XMLHTTP Control Can Allow Access to Local Files" on both my systems, and this is backed up by the exploit
http://jscript.dk/Jumper/xploit/xmlhttp.asp
is working on both my systems despite reapplying the required patch many times in the past and then installing the latest IE patch that should also of fixed it.The bug shown on the following pages is not fixed http://online.security.com/bid/3699 I have 2 computers running Win XP Pro & IE6, both systems have all = updates installed via the Windows Update including Q323759: August, 2002
=
Cumulative Patch for Internet Explorer 6 (Windows XP), installed on 23 = Aug 02. Yet the page http://jscript.dk/Jumper/xploit/xmlhttp.asp still allows = local file reading on both computers, which was ment to be patched in = MS02-008. If you need any details, computer config, dll versions etc just drop me
=
a mail and I will get you detailed compuer hardware and software info. Can you confirm the existance of this bug on your test systems. Thanks Brian
Current thread:
- IE bug not fixed - update Brian Taylor (Aug 27)
- Re: IE bug not fixed - update Sanford Olson (Aug 30)