Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Microsoft XML Core Services in SQL Server 2000 Lets Remote Scripts Access and Send Local Files
|
Date: Feb 22 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: Microsoft issued Security Bulletin MS02-008 confirming a previously reported vulnerability in the Microsoft XML Core Services that
affects Microsoft SQL Server 2000. A remote user may be able to access files and content on another user's computer.
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control. A flaw reportedly exists in how the XMLHTTP control applies
IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A remote user
could specify a data source that is on the user s local system and then use this to return information from the local system to
the attacker's web site.
Microsoft reports that affected versions of MSXML ship as part of several products. The patch mentioned
in their advisory should reportedly be applied if any of the following Microsoft products are being used:
Microsoft Windows
XP
Microsoft Internet Explorer 6.0
Microsoft SQL Server 2000
MSXML can apparentely be installed separately as a DLL
in the system32 subdirectory. Users that have any of the following files in that directory should install the patch:
MSXML2.DLL
MSXML3.DLL
MSXML4.DLL
The vendor notes that MSXML.DLL is not affected (as it is an earlier version).
Microsoft has
assigned this vulnerability a "Moderate" risk rating for Internet and Intranet Servers and a "Critical" risk rating for Client Systems.
This affects Microsoft XML Core Services 2.6, 3.0, and 4.0, which also includes Microsoft Windows XP, SQL Server 2000, and Internet
Explorer 6.0.
[Editor's note: This flaw was reported on our site in December 2001 as a bug in the Microsoft XMLHTTP component
shipped with Internet Explorer 6. However, Microsoft has confirmed that the bug also affects products other than IE.]
|
Impact: A remote user can create a script in an HTML web page or e-mail message that, when loaded and executed by the target (victim) user's
browser, will access and send known files on the target user's computer. The script may also be able to access web site content
from a web site that the target user has recently visited, including content that the target user submitted to the web site.
|
Solution: The vendor has released a fix for Microsoft XML Core Services (installed as part of SQL Server 2000):
http://www.microsoft.com/Windowsupdate
This can be installed on MSXML versions 2.6 Gold, 3.0 Gold, 3.0 Service Pack 1, 3.0 Service Pack 2, or 4.0 Gold
This fix
will reportedly be included in the following future service packs:
MSXML, 3.0 SP3 and 4.0 Service Pack 1
Microsoft Windows
2000 Service Pack 3
Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6.0 Service Pack 1
Microsoft SQL
Server 2000 Service Pack 3
Microsoft plans to release Knowledge Base article Q317244 regarding this flaw.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-008.asp (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (2000), Windows (XP)
|
Reported By: secnotif@microsoft.com
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 21 Feb 2002 17:33:07 -0800
From: secnotif@microsoft.com
Subject: Microsoft Security Bulletin MS02-008
|
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: XMLHTTP Control Can Allow Access to Local Files
Date: 21 February 2002
Software: Microsoft XML Core Services
Impact: Information disclosure
Max Risk: Critical
Bulletin: MS02-008
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-008.asp.
- ----------------------------------------------------------------------
Issue:
======
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
control, which allows web pages rendering in the browser to send or
receive XML data via HTTP operations such as POST, GET, and PUT.
The control provides security measures designed to restrict web
pages so they can only use the control to request data from remote
data sources.
A flaw exists in how the XMLHTTP control applies IE security zone
settings to a redirected data stream returned in response to a
request for data from a web site. A vulnerability results because
an attacker could seek to exploit this flaw and specify a data
source that is on the user's local system. The attacker could
then use this to return information from the local system to the
attacker's web site.
An attacker would have to entice the user to a site under his
control to exploit this vulnerability. It cannot be exploited
by HTML email. In addition, the attacker would have to know the
full path and file name of any file he would attempt to read.
Finally, this vulnerability does not give an attacker any
ability to add, change or delete data.
Mitigating Factors:
====================
- The vulnerability can only be exploited via a web site.
It would not be possible to exploit this vulnerability
via HTML mail.
- The attacker would need to know the full path and file name
of a file in order to read it.
- The vulnerability does not provide any ability to add,
change, or delete files.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-008.asp
for information on obtaining this patch.
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPHWQL40ZSRQxA/UrAQEbFwf+IpIT14BtaOo2dJfsDKfs/257rCbbfLDj
FifMpUUC0AZXhcVGngqLtfZxwXpfx7TYjTKfXGocIBxzyBoJzfUBRdXoCgL5N5Zi
sQmYP5dI9KWOJwaOnd5fYWYvFrV0rR136B+iMvoFROMp8opnZwGXuB5IGr8AX/u3
i/uQknvpQpaGwdeHw63QVHvbDpUgM5HzznT7rjheNc41Cy45q9uFYd8dxCTdRgFy
z2WwrybmFKrUS6W0tGxRxqSqoiW1MBcPGygp5EZhklrLjPjXk8HyW997uIfFDhF1
s6BSqho49Al5QIGb5UPOL2EFXs5xDTvXkeIWNX+JIPzIpXfDauXR3Q==
=ZiZW
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Secu
rity Notification Service.
For more information on this service, please visit http://www.microsoft.com/technet/security/notify
.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft
.com/technet/security/notify.asp.
For security-related information about Microsoft products, please visit the Microsoft Security Advis
or web site at http://www.microsoft.com/security.
|
|
Go to the Top of This SecurityTracker Archive Page
|
