Brian, You probably have multiple versions of MSXML on your system. You need to patch each one independently. From the FAQ part of the Microsoft Security Bulletin MS02-008.... "MSXML is installed as a .dll in the system32 subdirectory of the Windows operating system directory. On most systems, this will likely be c:\windows or c:\winnt. If you have any or all of the following files in the system32 directory, then you need to apply the appropriate patch or patches: a.. MSXML2.DLL b.. MSXML3.DLL c.. MSXML4.DLL There is a separate patch for each of the DLLs listed above. If you only have MSXML.DLL then you do not need to apply a patch because this is an earlier, unaffected version." ----- Original Message ----- From: "Brian Taylor" <brian@socnet.freeserve.co.uk> To: <bugtraq@securityfocus.com> Sent: Tuesday, August 27, 2002 1:57 AM Subject: IE bug not fixed - update > Microsoft Baseline security analyser shows a red cross against "MS02-008, > XMLHTTP Control Can Allow Access to Local Files" on both my systems, and > this is backed up by the exploit http://jscript.dk/Jumper/xploit/xmlhttp.asp > is working on both my systems despite reapplying the required patch many > times in the past and then installing the latest IE patch that should also > of fixed it. > > > > The bug shown on the following pages is not fixed > > > > http://online.security.com/bid/3699 > > > > I have 2 computers running Win XP Pro & IE6, both systems have all = > > updates installed via the Windows Update including Q323759: August, 2002 = > > Cumulative Patch for Internet Explorer 6 (Windows XP), installed on 23 = > > Aug 02. > > > > Yet the page http://jscript.dk/Jumper/xploit/xmlhttp.asp still allows = > > local file reading on both computers, which was ment to be patched in = > > MS02-008. > > > > If you need any details, computer config, dll versions etc just drop me = > > a mail and I will get you detailed compuer hardware and software info. > > Can you confirm the existance of this bug on your test systems. > > > > Thanks > > Brian
