Reported February 21, 2002, by Microsoft.

VERSIONS AFFECTED

 

  • Microsoft XML Core Services 4.0, 3.0, and 2.6 affecting:

    • Windows XP

    • Internet Explorer (IE) 6.0

    • Microsoft SQL Server 2000

 

DESCRIPTION

A vulnerability exists in how the XMLHTTP control applies IE security-zone settings to a redirected data stream that XMLHTTP returns as a response to a request for data from a Web site. An attacker can exploit this problem and specify a data source that's on the user’s local system. The attacker can then use this vulnerability to obtain information from the user's local system.

 

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS02-008, which addresses this vulnerability, and recommends that affected users immediately apply the patch for XML Core Services located at the Windows Update Web site.

 

CREDIT
Discovered by Microsoft.