What's the scope of the vulnerability?
This is an information disclosure vulnerability. It could allow an attacker to read files on the local file system of a user visiting a specially malformed web site.
The attacker would not be able to add, change or delete files. In addition, he would not be able to use e-mail to carry out this attack - the vulnerability could only be exploited via a web site. Customers who exercise caution when browsing and avoid visiting unknown or untrustworthy sites would be at less risk from this vulnerability.
What causes the vulnerability?
The vulnerability results because the XMLHTTP control in the Microsoft XML Core Services does not respect the IE Security Zone restrictions. This could enable a web page to specify a file on a user's local system as an XML data source, as a means of reading the file.
What is XML?
Extensible Markup Language, or XML, has a highly flexible syntax that can be used to describe virtually any kind of information that can be stored on computers. The information contained in an XML document can be easily passed between applications and systems and can be displayed in Web browsers without difficulty.
The complexity and volume of information now available on the Web has given rise to the popularity of XML as a means of sharing information. XML is also used as a means to transfer information between databases and other data repositories.
What is MSXML?
MSXML is a set of services that provide functions for working with XML documents. A primary use of MSXML is to parse, generate, validate and transform XML documents so that the information can be displayed, stored, or manipulated. Affected versions of MSXML ship as part of the following Microsoft products:
- Microsoft Windows XP
- Microsoft Internet Explorer 6.0
- Microsoft SQL Server 2000
The owner of a website may choose to deliver information using XML. When a customer visits that website, her Internet Explorer browser will use MSXML services to render the information.
What is XMLHTTP?
XMLHTTP is a component of MSXML. XMLHTTP is designed to pass XML documents to programs over the Internet using the standard Hyper-Text Transfer Protocol (HTTP). An example of a program using XMLHTTP is the Outlook Web Access Client, which uses XMLHTTP to retrieve e-mails from a mail server. Another common use is for posting XML data to a web server.
What is wrong with XMLHTTP?
The normal response to an XMLHTTP GET command is a data stream, such as an XML document. The response could also be an error message, saying the data stream is not available, or the response could take the form of a redirect to a data stream in a different location. The problem is that the security settings of the response are not checked.
What do you mean by "security settings"?
When the XMLHTTP control is invoked by a web page, it should respect the restrictions associated with the IE Security Zone in which the page renders. Specifically, when visiting an Internet web site, the control should respect the Internet Zone's prohibition against accessing data on user's system. The vulnerability results because it doesn't do this.
Under most conditions, this flaw doesn't pose a threat. The control does examine the web site's request, and will refuse to carry it out if it requests a local file. However, it's possible to disguise a request in such a way to prevent the control from recognizing that it's a request for a local file, and then exploit the vulnerability
What would this enable an attacker to do?
An attacker could use this vulnerability to read a file from the other user's system. The attacker would be unable to search the user's disk for files, so the full path and file name would need to be known beforehand. However, many system files reside in default locations.
How might an attacker exploit this vulnerability?
An attacker could seek to exploit the vulnerability by first building a web page that includes an XMLHTTP GET call to another page that has been specially malformed using a server side application technology. The page would need to be constructed in such a way as to redirect XMLHTTP to a file on the user's system as the data source. If a user visited the attacker's web site, the redirection through the specially malformed page could allow the attacker to read data from the user's system.
Could the attacker use e-mail to read local files?
No. The vulnerability could not be exploited via email - it could only be exploited via a web site.
What does the patch do?
The patch eliminates the vulnerability by changing the XMLHTTP control to correctly check the security settings of the data stream returned in the response to the XMLHTTP GET call. File reads against local files would not be permitted when the user is browsing the Internet.
How do I tell if I need the patch?
Affected versions of MSXML ship as part of several products. The patch should be applied to systems with any of the following Microsoft products:
- Microsoft Windows XP
- Microsoft Internet Explorer 6.0
- Microsoft SQL Server 2000
MSXML can also be installed separately and may be included with other products not listed above. The best way to determine if you need to apply a patch is to check the MSXML .dlls on your system.
MSXML is installed as a .dll in the system32 subdirectory of the Windows operating system directory. On most systems, this will likely be c:\windows or c:\winnt. If you have any or all of the following files in the system32 directory, then you need to apply the appropriate patch or patches:
- MSXML2.DLL
- MSXML3.DLL
- MSXML4.DLL
There is a separate patch for each of the DLLs listed above. If you only have MSXML.DLL then you do not need to apply a patch because this is an earlier, unaffected version.
The Patch Availability section of the bulletin says that Microsoft refreshed the update for MSXML version 3. Why did that happen?
The original version contained localization information for only English. We subsequently released an updated version that can be installed on any system, regardless of language. The patches for MSXML versions 2 and 4 were already fully localized, and did not need to be updated.
Both the original version and the updated version fully eliminate the vulnerability. Customers who installed the original version do not need to take any action. However, tools such as HFNetChk may note that an older version of the patch is installed on the system.
Why was the update for MSXML version 2.6 refreshed?
The installation routine associated with the original MSXML version 2.6 patch has been updated in order to remedy problems some customers were experiencing when applying the patch through WindowsUpdate. This only affected customers who had an unpatched MSXML version 2.6 and had upgraded from MDAC 2.6 to 2.7.
I successfully applied the version 2.6 patch, does this mean the patch failed to apply?
No. In all cases where the issue occurred, the user was presented with an error message indicating that the installation failed. This means if you successfully applied the 2.6 patch, you need not do anything.
However, If you were presented with an error message when you attempted to apply the 2.6 patch, you should be able to apply the patch successfully.
I'm still having problems applying the patch, what should I do?
If you're having problems applying any security patch, you can call Microsoft Product Support Services for assistance. All calls related to security patches are free of charge.
