Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IE bug not fixed - update

From: "Sanford Olson" <sanford () scootersoftware com>
Date: Thu, 29 Aug 2002 19:52:04 -0500
Brian,

You probably have multiple versions of MSXML on your system.  You need to
patch each one independently.


From the FAQ part of the Microsoft Security Bulletin MS02-008....

"MSXML is installed as a .dll in the system32 subdirectory of the Windows
operating system directory. On most systems, this will likely be c:\windows
or c:\winnt. If you have any or all of the following files in the system32
directory, then you need to apply the appropriate patch or patches:

  a.. MSXML2.DLL
  b.. MSXML3.DLL
  c.. MSXML4.DLL
There is a separate patch for each of the DLLs listed above. If you only
have MSXML.DLL then you do not need to apply a patch because this is an
earlier, unaffected version."



----- Original Message -----
From: "Brian Taylor" <brian () socnet freeserve co uk>
To: <bugtraq () securityfocus com>
Sent: Tuesday, August 27, 2002 1:57 AM
Subject: IE bug not fixed - update



Microsoft Baseline security analyser shows a red cross against "MS02-008,
XMLHTTP Control Can Allow Access to Local Files" on both my systems, and
this is backed up by the exploit

http://jscript.dk/Jumper/xploit/xmlhttp.asp

is working on both my systems despite reapplying the required patch many
times in the past and then installing the latest IE patch that should also
of fixed it.



The bug shown on the following pages is not fixed

http://online.security.com/bid/3699

I have 2 computers running Win XP Pro & IE6, both systems have all =
updates installed via the Windows Update including Q323759: August, 2002

=

Cumulative Patch for Internet Explorer 6 (Windows XP), installed on 23 =
Aug 02.

Yet the page http://jscript.dk/Jumper/xploit/xmlhttp.asp still allows =
local file reading on both computers, which was ment to be patched in =
MS02-008.

If you need any details, computer config, dll versions etc just drop me

=

a mail and I will get you detailed compuer hardware and software info.
Can you confirm the existance of this bug on your test systems.

Thanks
    Brian
Previous By Date Next
Previous By Thread Next

Current thread: