Hi, Does anyone know what the .DLL in question is exactly? I see "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll" (version 2000.080.0382.00) on some systems that never had SQL Server on them. This appears to have come with MDAC 2.7. I can't tell from this advisory or Microsoft's if this .DLL is vulnerable. Even if it is, according to <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsql/ac_ xml1_59m4.asp>, "Before queries can be specified using HTTP, a virtual root must be created using the IIS Virtual Directory Management for SQL Server utility." It would seem that if this hasn't been done, there is no vulnerability. Can anyone confirm? Thanks, Francis
