mailing list archives
Update on the MS02-005 patch, holes still remain
From: Thor Larholm <Thor () jubii dk>
Date: Tue, 12 Feb 2002 15:25:11 +0100
Now that the MS02-005 patch has finally been officially released (and
updated to patch even more holes), it is time to take a look at what
vulnerabilities that remain (what it did patch can be read in the bulletin).
From the security bulletin (located at
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp ), we find
the following phrases:
"eliminates all previously discussed security vulnerabilities affecting IE
5.01, 5.5 and IE 6." and "eliminates all known security vulnerabilities
affecting Internet Explorer 5.01, 5.5 and 6.0."
I would like to take the opportunity to point out that the above is not
true. 2 critical vulnerabilities are still remaining.
1. codebase localpath
Allows execution of arbitrary commands.
Publicly known since January 10th 2002.
Allows reading of local files.
Publicly known since December 15th 2001.
Severity: Critical for homeusers.
The XMLHTTP vulnerability only affects client systems (home users), as this
IS fixed for NT4/Win2000 users through (among others) the "Windows 2000
Security Rollup Package, January, 2002". Microsoft needs to distribute the
updated, and secure, XMLHTTP packages to homeusers (Windows 95/98/etc.)
since they are still vulnerable and anyone can still read their local files.
The "GetObject localfile reading" which was patched in MS02-005 was
classified as being "Critical" for "Client Systems". The XMLHTTP
vulnerability still allows a malicious programmer to do the same.
To find out wether you are vulnerable or not, visit
Finally, I would like to point out that Microsoft still has done a great job
in patching a lot of holes with this cumulative patch. Had they told the
public about the amount of holes that they were patching, I am sure we would
have understood the appareantly slow reaction somewhat better.
Jubii A/S - Internet Programmer
- Update on the MS02-005 patch, holes still remain Thor Larholm (Feb 14)