Article
03/01/2023

Security Bulletin

Microsoft Security Bulletin MS02-008 - Critical

XMLHTTP Control Can Allow Access to Local Files

Published: February 21, 2002 | Updated: May 09, 2003

Version: 1.7

Originally posted: February 21, 2002
Updated: May 09, 2003

Summary

Who should read this bulletin: Customers using Microsoft® XML Core Services 2.6 and later. This includes customers using Microsoft Windows® XP, SQL Server™ 2000, and Internet Explorer 6.0.

Impact of vulnerability: Information disclosure

Maximum Severity Rating: Critical

Recommendation: Customers and system administrators should apply the patch to all affected machines immediately.

Affected Software:

Microsoft XML Core Services versions 2.6, 3.0, and 4.0
An affected version of Microsoft XML Core Services also ships as part of the following products:
- Microsoft Windows XP
- Microsoft Internet Explorer 6.0
- Microsoft SQL Server 2000

General Information

Technical details

Technical description:

Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources.

A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site.

An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, this vulnerability does not give an attacker any ability to add, change or delete data.

Mitigating factors:

The vulnerability can only be exploited via a web site. It would not be possible to exploit this vulnerability via HTML mail.
The attacker would need to know the full path and file name of a file in order to read it.
The vulnerability does not provide any ability to add, change, or delete files.

Severity Rating:

	Internet Servers	Intranet Servers	Client Systems
MSXML version 2.6	Moderate	Moderate	Critical
MSXML version 3.0	Moderate	Moderate	Critical
MSXML version 4.0	Moderate	Moderate	Critical

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. This vulnerability affects the disclosure of personal information, and is most likely to have an impact on client systems.

Vulnerability identifier: CAN-2002-0057

Tested Versions:

Microsoft tested MSXML versions 2.6, 3.0, and 4.0. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is an information disclosure vulnerability. It could allow an attacker to read files on the local file system of a user visiting a specially malformed web site. The attacker would not be able to add, change or delete files. In addition, he would not be able to use e-mail to carry out this attack - the vulnerability could only be exploited via a web site. Customers who exercise caution when browsing and avoid visiting unknown or untrustworthy sites would be at less risk from this vulnerability.

What causes the vulnerability?
The vulnerability results because the XMLHTTP control in the Microsoft XML Core Services does not respect the IE Security Zone restrictions. This could enable a web page to specify a file on a user's local system as an XML data source, as a means of reading the file.

What is XML?
Extensible Markup Language, or XML, has a highly flexible syntax that can be used to describe virtually any kind of information that can be stored on computers. The information contained in an XML document can be easily passed between applications and systems and can be displayed in Web browsers without difficulty. The complexity and volume of information now available on the Web has given rise to the popularity of XML as a means of sharing information. XML is also used as a means to transfer information between databases and other data repositories.

What is MSXML?
MSXML is a set of services that provide functions for working with XML documents. A primary use of MSXML is to parse, generate, validate and transform XML documents so that the information can be displayed, stored, or manipulated. Affected versions of MSXML ship as part of the following Microsoft products:

Microsoft Windows XP
Microsoft Internet Explorer 6.0
Microsoft SQL Server 2000

The owner of a website may choose to deliver information using XML. When a customer visits that website, her Internet Explorer browser will use MSXML services to render the information.

What is XMLHTTP?
XMLHTTP is a component of MSXML. XMLHTTP is designed to pass XML documents to programs over the Internet using the standard Hyper-Text Transfer Protocol (HTTP). An example of a program using XMLHTTP is the Outlook Web Access Client, which uses XMLHTTP to retrieve e-mails from a mail server. Another common use is for posting XML data to a web server.

What is wrong with XMLHTTP?
The normal response to an XMLHTTP GET command is a data stream, such as an XML document. The response could also be an error message, saying the data stream is not available, or the response could take the form of a redirect to a data stream in a different location. The problem is that the security settings of the response are not checked.

What do you mean by "security settings"?
When the XMLHTTP control is invoked by a web page, it should respect the restrictions associated with the IE Security Zone in which the page renders. Specifically, when visiting an Internet web site, the control should respect the Internet Zone's prohibition against accessing data on user's system. The vulnerability results because it doesn't do this. Under most conditions, this flaw doesn't pose a threat. The control does examine the web site's request, and will refuse to carry it out if it requests a local file. However, it's possible to disguise a request in such a way to prevent the control from recognizing that it's a request for a local file, and then exploit the vulnerability

What would this enable an attacker to do?
An attacker could use this vulnerability to read a file from the other user's system. The attacker would be unable to search the user's disk for files, so the full path and file name would need to be known beforehand. However, many system files reside in default locations.

How might an attacker exploit this vulnerability?
An attacker could seek to exploit the vulnerability by first building a web page that includes an XMLHTTP GET call to another page that has been specially malformed using a server side application technology. The page would need to be constructed in such a way as to redirect XMLHTTP to a file on the user's system as the data source. If a user visited the attacker's web site, the redirection through the specially malformed page could allow the attacker to read data from the user's system.

Could the attacker use e-mail to read local files?
No. The vulnerability could not be exploited via email - it could only be exploited via a web site.

What does the patch do?
The patch eliminates the vulnerability by changing the XMLHTTP control to correctly check the security settings of the data stream returned in the response to the XMLHTTP GET call. File reads against local files would not be permitted when the user is browsing the Internet.

How do I tell if I need the patch?
Affected versions of MSXML ship as part of several products. The patch should be applied to systems with any of the following Microsoft products:

Microsoft Windows XP
Microsoft Internet Explorer 6.0
Microsoft SQL Server 2000

MSXML can also be installed separately and may be included with other products not listed above. The best way to determine if you need to apply a patch is to check the MSXML .dlls on your system. MSXML is installed as a .dll in the system32 subdirectory of the Windows operating system directory. On most systems, this will likely be c:\windows or c:\winnt. If you have any or all of the following files in the system32 directory, then you need to apply the appropriate patch or patches:

MSXML2.DLL
MSXML3.DLL
MSXML4.DLL

There is a separate patch for each of the DLLs listed above. If you only have MSXML.DLL then you do not need to apply a patch because this is an earlier, unaffected version.

The Patch Availability section of the bulletin says that Microsoft refreshed the update for MSXML version 3. Why did that happen?
The original version contained localization information for only English. We subsequently released an updated version that can be installed on any system, regardless of language. The patches for MSXML versions 2 and 4 were already fully localized, and did not need to be updated. Both the original version and the updated version fully eliminate the vulnerability. Customers who installed the original version do not need to take any action. However, tools such as HFNetChk may note that an older version of the patch is installed on the system.

Why was the update for MSXML version 2.6 refreshed?
The installation routine associated with the original MSXML version 2.6 patch has been updated in order to remedy problems some customers were experiencing when applying the patch through WindowsUpdate. This only affected customers who had an unpatched MSXML version 2.6 and had upgraded from MDAC 2.6 to 2.7.

I successfully applied the version 2.6 patch, does this mean the patch failed to apply?
No. In all cases where the issue occurred, the user was presented with an error message indicating that the installation failed. This means if you successfully applied the 2.6 patch, you need not do anything. However, If you were presented with an error message when you attempted to apply the 2.6 patch, you should be able to apply the patch successfully.

I'm still having problems applying the patch, what should I do?
If you're having problems applying any security patch, you can call Microsoft Product Support Services for assistance. All calls related to security patches are free of charge.

Patch availability

Download locations for this patch

https:
https://www.microsoft.com/Windowsupdate

Note: As discussed in the FAQ, the patches for MSXML versions 2.6 and 3.0 were updated after release. Customers who installed the original versions do not need to install the updated versions.

Additional information about this patch

Installation platforms:

MSXML versions 2.6 Gold, 3.0 Gold, 3.0 Service Pack 1, 3.0 Service Pack 2, or 4.0 Gold

Inclusion in future service packs:

MSXML 2.6
- Microsoft Windows XP Service Pack 1
- Microsoft SQL Server 2000 Service Pack 3
MSXML 3.0
- MSXML 3.0 Service Pack 3
- Microsoft Internet Explorer 6.0 Service Pack 1
- Windows XP Service Pack 1 (includes MSXML 3.0 Service Pack 3)
MSXML 4.0 - only available to be installed stand-alone
- MSXML 4.0 Service Pack 1

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

To verify that the patch has been installed on the machine, confirm that the following registry keys have been created on the machine:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q318202 (for MSXML 2.0)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q318203 (for MSXML 3.0)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\MSXML4\Q317244 (for MSXML 4.0)

Caveats:

None

Localization:

This patch can be installed on all languages.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Support:

Microsoft Knowledge Base articles Q318202 (for MSXML 2.0), Q318203 (for MSXML 3.0), and Q317244 (for MSXML 4.0) discuss this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (February 21, 2002): Bulletin Created.
V1.1 (February 27, 2002): Bulletin updated with corrected patch verification information and Knowledge Base articles.
V1.2 (March 5, 2002): Bulletin updated with additional DLL patch information.
V1.3 (March 11, 2002): Bulletin updated with additional information about determining if a patch is needed.
V1.4 (April 11, 2002): FAQ item added explaining the refresh of the Q318203 (MSXML3) package.
V1.5 (May 30, 2002): FAQ item added explaining the refresh of the Q318202 (MSXML2) package.
V1.6 (November 12, 2002): Bulletin updated with additional information in the future service packs section.
V1.7 (May 09, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00 </https:>