Re: IE bug not fixed - update

From: Sanford Olson (sanfordat_private)
Date: Thu Aug 29 2002 - 17:52:04 PDT

Next message: Andrew Oman: "Re: SUMMARY: Disabling Port 445 (SMB) Entirely"

Previous message: Jason Coombs: "SUMMARY: Disabling Port 445 (SMB) Entirely"
In reply to: Brian Taylor: "IE bug not fixed - update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brian,

You probably have multiple versions of MSXML on your system.  You need to
patch each one independently.

From the FAQ part of the Microsoft Security Bulletin MS02-008....
"MSXML is installed as a .dll in the system32 subdirectory of the Windows
operating system directory. On most systems, this will likely be c:\windows
or c:\winnt. If you have any or all of the following files in the system32
directory, then you need to apply the appropriate patch or patches:

  a.. MSXML2.DLL
  b.. MSXML3.DLL
  c.. MSXML4.DLL
There is a separate patch for each of the DLLs listed above. If you only
have MSXML.DLL then you do not need to apply a patch because this is an
earlier, unaffected version."



----- Original Message -----
From: "Brian Taylor" <brianat_private>
To: <bugtraqat_private>
Sent: Tuesday, August 27, 2002 1:57 AM
Subject: IE bug not fixed - update


> Microsoft Baseline security analyser shows a red cross against "MS02-008,
> XMLHTTP Control Can Allow Access to Local Files" on both my systems, and
> this is backed up by the exploit
http://jscript.dk/Jumper/xploit/xmlhttp.asp
> is working on both my systems despite reapplying the required patch many
> times in the past and then installing the latest IE patch that should also
> of fixed it.
>
>
> > The bug shown on the following pages is not fixed
> >
> > http://online.security.com/bid/3699
> >
> > I have 2 computers running Win XP Pro & IE6, both systems have all =
> > updates installed via the Windows Update including Q323759: August, 2002
=
> > Cumulative Patch for Internet Explorer 6 (Windows XP), installed on 23 =
> > Aug 02.
> >
> > Yet the page http://jscript.dk/Jumper/xploit/xmlhttp.asp still allows =
> > local file reading on both computers, which was ment to be patched in =
> > MS02-008.
> >
> > If you need any details, computer config, dll versions etc just drop me
=
> > a mail and I will get you detailed compuer hardware and software info.
> > Can you confirm the existance of this bug on your test systems.
> >
> > Thanks
> >     Brian

Next message: Andrew Oman: "Re: SUMMARY: Disabling Port 445 (SMB) Entirely"
Previous message: Jason Coombs: "SUMMARY: Disabling Port 445 (SMB) Entirely"
In reply to: Brian Taylor: "IE bug not fixed - update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 30 2002 - 10:50:15 PDT