Microsoft Knowledge Base Article - Q318203
 

MS02-008: XMLHTTP Control in MSXML 3.0 Can Allow Access to Local Files

The information in this article applies to:
  • Microsoft XML 3.0, 3.0 SP1, 3.0 SP2
For additional information on this vulnerability, click the article numbers below to view the articles in the Microsoft Knowledge Base:
    Q317244 MS02-008: XMLHTTP Control in MSXML 4.0 Can Allow Access to Local Files
    Q318202 MS02-008: XMLHTTP Control in MSXML 2.0 Can Allow Access to Local Files

Symptoms

An information-disclosure vulnerability exists that could allow an attacker to read files on the local file system of a user who visits a specially malformed web site.

The attacker would not be able to add, change, or delete files. In addition, the attacker would not be able to use e-mail to carry out this attack; the vulnerability can only be exploited by way of a Web site. Customers who exercise caution when browsing and avoid visiting unknown or untrustworthy sites are at less risk from this vulnerability.

Cause

The vulnerability exists because the XMLHTTP control in the Microsoft XML Core Services does not respect the Internet Explorer Security Zone restrictions. This enables a Web page to specify a file on a user's local system as an XML data source as a means of reading the file.

Resolution

A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems that are determined to be at risk of attack. Please evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. Please see the associated Microsoft Security Bulletin to help make this determination. This fix may receive additional testing at a later time, to further ensure product quality. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next MSXML 3.0 service pack that contains this fix.

To resolve this problem immediately, download the fix as instructed below or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:
Release Date: February 21, 2002

For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. After it is posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

NOTE: Customers who downloaded an earlier version of this fix (with an Msxml3.dll file dated 8-Jan-2002) do not need to install the updated fix presented here (even though tools such as HFNetChk may note that an older version of the patch is installed on the system).

Both versions of this fix fully eliminate the vulnerablility. The earlier version was localized for English only, and the updated fix can be installed on any system, regardless of language. Also note that the original versions of the fix for MSXML 2.0 and MSXML 4.0 were already fully localized.

The English version of this fix should have the following file attributes or later:
Date         Version       Size      File name     Platform
-----------------------------------------------------------
15-Feb-2002  8.20.9415.0   1,120,768 msxml3.dll    x86

NOTE: To perform a silent install of this patch, type the following at a command prompt:
    Q318203_MSXML30_x86_en.exe /q:a /c:"dahotfix.exe /q /n"
and press Enter.

Status

Microsoft has confirmed that this problem could result in some degree of security vulnerability in Microsoft XML 3.0.

More Information

Affected versions of MSXML ship as part of several products. You should apply the patch to systems with any of the following Microsoft products:
  • Microsoft Windows XP
  • Microsoft Internet Explorer 6.0
  • Microsoft SQL Server 2000
MSXML can also be installed separately. MSXML is installed as a DLL in the System32 subfolder of the Windows operating system folder. On most systems, this will likely be C:\Windows or C:\winnt. If you have any or all of the following files in the System32 folder, you need the patch:
  • Msxml2.dll
  • Msxml3.dll
  • Msxml4.dll
If you have only Msxml.dll, you do not need the patch because this is an earlier, unaffected version.

For more information on this vulnerability, see the following Microsoft Web site: