Now that the MS02-005 patch has finally been officially released (and updated to patch even more holes), it is time to take a look at what vulnerabilities that remain (what it did patch can be read in the bulletin). From the security bulletin (located at http://www.microsoft.com/technet/security/bulletin/MS02-005.asp ), we find the following phrases: "eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6." and "eliminates all known security vulnerabilities affecting Internet Explorer 5.01, 5.5 and 6.0." I would like to take the opportunity to point out that the above is not true. 2 critical vulnerabilities are still remaining. 1. codebase localpath Allows execution of arbitrary commands. Publicly known since January 10th 2002. Severity: Critical. 2. XMLHTTP Allows reading of local files. Publicly known since December 15th 2001. Severity: Critical for homeusers. Notice: The XMLHTTP vulnerability only affects client systems (home users), as this IS fixed for NT4/Win2000 users through (among others) the "Windows 2000 Security Rollup Package, January, 2002". Microsoft needs to distribute the updated, and secure, XMLHTTP packages to homeusers (Windows 95/98/etc.) since they are still vulnerable and anyone can still read their local files. The "GetObject localfile reading" which was patched in MS02-005 was classified as being "Critical" for "Client Systems". The XMLHTTP vulnerability still allows a malicious programmer to do the same. To find out wether you are vulnerable or not, visit http://jscript.dk/unpatched/ Finally, I would like to point out that Microsoft still has done a great job in patching a lot of holes with this cumulative patch. Had they told the public about the amount of holes that they were patching, I am sure we would have understood the appareantly slow reaction somewhat better. Regards Thor Larholm Jubii A/S - Internet Programmer
