Icon of program: Microsoft XML 2.0 Core Se…

Microsoft XML 2.0 Core Services Vulnerability Patch for Windows

Download now

Used Microsoft XML 2.0 Core Services Vulnerability Patch for Windows?

Editors’ Review

Download.com staff
This document details a vulnerability in Microsoft XML Core Services (MSXML). It explains how attackers could exploit the XMLHTTP ActiveX control to access local system information.

  • Pros

    • XMLHTTP control sends and receives XML data via HTTP.
    • Supports POST, GET, and PUT operations.
    • Includes security measures to restrict data requests.
    • Cannot be exploited via HTML email.
    • Does not allow data modification.

  • Cons

    • Flaw in applying IE security zone settings.
    • Allows redirection of data streams.
    • Enables attackers to read local system files.
    • Requires attacker to know file path and name.
    • Requires user to visit attacker's controlled site.
Icon of program: Microsoft XML 2.0 Core Se…

Microsoft XML 2.0 Core Services Vulnerability Patch for Windows

Download now

Used Microsoft XML 2.0 Core Services Vulnerability Patch for Windows?

Explore More

Full Specifications

GENERAL
Release
Latest update
Version
MS02-008
OPERATING SYSTEMS
Platform
Windows
Operating System
  • Windows 10
  • Windows NT
  • Windows 2000
Additional Requirements
Windows NT/2000
POPULARITY
Total Downloads
39,464
Downloads Last Week
0
Report Software

Program available in other languages

Last Updated

User Reviews

1/5

7 User Votes

Developer’s Description

By Microsoft
Get this add-in for Microsoft XML 2.0 Core Services Vulnerability
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources.

A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site. An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, this vulnerability does not give an attacker any ability to add, change or delete data.

Download.com
Your review for Microsoft XML 2.0 Core Services Vulnerability Patch