Microsoft Security Bulletin MS02-008

Discussion in 'other security issues & news' started by Zhen-Xjell, Feb 21, 2002.

Thread Status:
Not open for further replies.
  1. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title:      XMLHTTP Control Can Allow Access to Local Files
    Date:       21 February 2002
    Software:   Microsoft XML Core Services
    Impact:     Information disclosure
    Max Risk:   Critical
    Bulletin:   MS02-008

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS02-008.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
    control, which allows web pages rendering in the browser to send or
    receive XML data via HTTP operations such as POST, GET, and PUT.
    The control provides security measures designed to restrict web
    pages so they can only use the control to request data from remote
    data sources.

    A flaw exists in how the XMLHTTP control applies IE security zone
    settings to a redirected data stream returned in response to a
    request for data from a web site. A vulnerability results because
    an attacker could seek to exploit this flaw and specify a data
    source that is on the user's local system. The attacker could
    then use this to return information from the local system to the
    attacker's web site.

    An attacker would have to entice the user to a site under his
    control to exploit this vulnerability. It cannot be exploited
    by HTML email. In addition, the attacker would have to know the
    full path and file name of any file he would attempt to read.
    Finally, this vulnerability does not give an attacker any
    ability to add, change or delete data.

    Mitigating Factors:
    ====================
    - The vulnerability can only be exploited via a web site.
      It would not be possible to exploit this vulnerability
      via HTML mail.

    - The attacker would need to know the full path and file name
      of a file in order to read it.

    - The vulnerability does not provide any ability to add,
      change, or delete files.

    Risk Rating:
    ============
    - Internet systems: Moderate
    - Intranet systems: Moderate
    - Client systems: Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
      Security Bulletin at
      http://www.microsoft.com/technet/security/bulletin/ms02-008.asp
      for information on obtaining this patch.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
    ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
    IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES
    WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
    LOSS OF
    BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
    ITS
    SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
    STATES DO
    NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
    OR
    INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQEVAwUBPHWQL40ZSRQxA/UrAQEbFwf+IpIT14BtaOo2dJfsDKfs/257rCbbfLDj
    FifMpUUC0AZXhcVGngqLtfZxwXpfx7TYjTKfXGocIBxzyBoJzfUBRdXoCgL5N5Zi
    sQmYP5dI9KWOJwaOnd5fYWYvFrV0rR136B+iMvoFROMp8opnZwGXuB5IGr8AX/u3
    i/uQknvpQpaGwdeHw63QVHvbDpUgM5HzznT7rjheNc41Cy45q9uFYd8dxCTdRgFy
    z2WwrybmFKrUS6W0tGxRxqSqoiW1MBcPGygp5EZhklrLjPjXk8HyW997uIfFDhF1
    s6BSqho49Al5QIGb5UPOL2EFXs5xDTvXkeIWNX+JIPzIpXfDauXR3Q==
    =ZiZW
    -----END PGP SIGNATURE-----


    *******************************************************************

    You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

    To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

    To cancel your subscription, click on the following link mailto:1_26138_1E81A08D-A2CD-4E10-8D7F-16D1039270F8_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

    To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26138_1E81A08D-A2CD-4E10-8D7F-16D1039270F8_US@Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail.  You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm

    For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
     
Loading...
Thread Status:
Not open for further replies.