Information About Microsoft Security Bulletin MS02-023

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

As you may know, on 15 May 2002 Microsoft released Security Bulletin MS02-023, discussing the availability of a patch that eliminates several security vulnerabilities affecting Internet Explorer. Since that time, several claims have been posted to security mailing lists about the patch and the bulletin. We'd like to address those claims.

On 16 May, three claims were made regarding the first vulnerability discussed in the bulletin, which involves a cross-site scripting vulnerability in a local HTML resource that ships as part of IE.

  • Claim 1: The bulletin describes the vulnerability incorrectly. In reality, the bulletin's description is accurate, and this appears to be a disagreement about how best to describe a security vulnerability. The bulletin describes it in terms of the potential effect on a user, where the author of the posting advocates discussing the underlying software flaw.

  • Claim 2: The bulletin incorrectly says that it would be necessary for an attacker to click a link in order to exploit the vulnerability. This author of the posting is correct - once a user arrived at an attacker's web site, it would be possible for the site to automatically exploit the vulnerability. We have updated the bulletin accordingly.

  • Claim 3: The patch didn't actually eliminate the vulnerability. This is incorrect. The patch does eliminate the vulnerability discussed in the bulletin. The author of the posting is actually describing an entirely new variant of the vulnerability, which had never previously been reported to Microsoft. We are investigating the newly reported issue.

On 17 May, an additional claim was aired regarding the second vulnerability discussed in the bulletin, which involves an information disclosure vulnerability affecting cascading style sheets. The author of this posting claims that the patch doesn't actually eliminate this vulnerability. However, as in the case discussed above, this appears to be a new variant that had never previously been reported to Microsoft, and we are investigating it.

While it's too soon to say what the two investigations will reveal, we do want to assure customers that we will take the appropriate steps to help them keep their systems secure. In the meantime, we strongly encourage customers to apply the patch. As additional information becomes available, we will post it on the TechNet Security web site and on the Microsoft Security Newsgroups.