Reported February 21, 2002, by Microsoft.
Microsoft XML Core Services 4.0, 3.0, and 2.6 affecting:
Internet Explorer (IE) 6.0
Microsoft SQL Server 2000
A vulnerability exists in how the XMLHTTP control applies IE security-zone settings to a redirected data stream that XMLHTTP returns as a response to a request for data from a Web site. An attacker can exploit this problem and specify a data source that's on the user’s local system. The attacker can then use this vulnerability to obtain information from the user's local system.
The vendor, Microsoft, has released Security Bulletin MS02-008, which addresses this vulnerability, and recommends that affected users immediately apply the patch for XML Core Services located at the Windows Update Web site.
Discovered by Microsoft.