Two New Security Updates on WindowsUpdate

Thanks Mike & Karl. Some new updates have appered on WindowsUpdate site

Security Update, February 13, 2002 (MSXML 2.6 and 3.0)

Issue:

Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources. A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user"s local system. The attacker could then use this to return information from the local system to the attacker"s web site.

An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, this vulnerability does not give an attacker any ability to add, change or delete data.

View: Microsoft Security Bulletin MS01-008: XMLHTTP Control Can Allow Access to Local Files

Security Update, February 14, 2002 (Internet Explorer 6)

Issue:

This update resolves the "Incorrect VBScript Handling in Internet Explorer can Allow Web Pages to Read Local Files" security vulnerability in Internet Explorer 6 and Windows XP or Windows 2000, and is discussed in Microsoft Security Bulletin MS02-009. Download now to prevent a malicious user from using an unauthorized Web site to read the contents of files on your local computer.

This vulnerability exists because VBScript that is created dynamically in Internet Explorer can result in the script being assigned invalid permissions, which gives the script the ability to read your local files, if the path to the file is known. This update prevents a malicious user from running VBScript in an unauthorized Web site to read the contents of files on your computer.

View: Microsoft Security Bulletin MS01-009: Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files

Download: Windows Update

Report a problem with article
Next Article

Commerce Server 2000 Q317615 Security Fix

Previous Article

Article: Defragger Roundup