Microsoft Security Bulletin MS02-008
XMLHTTP Control Can Allow Access to Local Files
Originally posted: February 21, 2002
Updated: May 09, 2003
Who should read this bulletin:
Customers using Microsoft® XML Core Services 2.6 and later. This includes customers using Microsoft Windows® XP, SQL Server™ 2000, and Internet Explorer 6.0.
Impact of vulnerability:
Maximum Severity Rating:
Customers and system administrators should apply the patch to all affected machines immediately.
- Microsoft XML Core Services versions 2.6, 3.0, and 4.0
- An affected version of Microsoft XML Core Services also ships as part of the following products:
- Microsoft Windows XP
- Microsoft Internet Explorer 6.0
- Microsoft SQL Server 2000
- Microsoft Knowledge Base articles Q318202 (for MSXML 2.0), Q318203 (for MSXML 3.0), and Q317244 (for MSXML 4.0) discuss this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 21, 2002): Bulletin Created.
- V1.1 (February 27, 2002): Bulletin updated with corrected patch verification information and Knowledge Base articles.
- V1.2 (March 5, 2002): Bulletin updated with additional DLL patch information.
- V1.3 (March 11, 2002): Bulletin updated with additional information about determining if a patch is needed.
- V1.4 (April 11, 2002): FAQ item added explaining the refresh of the Q318203 (MSXML3) package.
- V1.5 (May 30, 2002): FAQ item added explaining the refresh of the Q318202 (MSXML2) package.
- V1.6 (November 12, 2002): Bulletin updated with additional information in the future service packs section.
- V1.7 (May 09, 2003): Updated download links to Windows Update.