Update on the MS02-005 patch, holes still remain

[Thor Larholm <Thor () jubii dk>]

Now that the MS02-005 patch has finally been officially released (and
updated to patch even more holes), it  is time to take a look at what
vulnerabilities that remain (what it did patch can be read in the bulletin).

> From the security bulletin (located at
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp ), we find
the following phrases:

"eliminates all previously discussed security vulnerabilities affecting IE
5.01, 5.5 and IE 6." and "eliminates all known security vulnerabilities
affecting Internet Explorer 5.01, 5.5 and 6.0."

I would like to take the opportunity to point out that the above is not
true. 2 critical vulnerabilities are still remaining.

1. codebase localpath
Allows execution of arbitrary commands.
Publicly known since January 10th 2002.
Severity: Critical.

2. XMLHTTP
Allows reading of local files.
Publicly known since December 15th 2001.
Severity: Critical for homeusers.

Notice:
The XMLHTTP vulnerability only affects client systems (home users), as this
IS fixed for NT4/Win2000 users through (among others) the "Windows 2000
Security Rollup Package, January, 2002". Microsoft needs to distribute the
updated, and secure, XMLHTTP packages to homeusers (Windows 95/98/etc.)
since they are still vulnerable and anyone can still read their local files.
The "GetObject localfile reading" which was patched in MS02-005 was
classified as being "Critical" for "Client Systems". The XMLHTTP
vulnerability still allows a malicious programmer to do the same.

To find out wether you are vulnerable or not, visit
http://jscript.dk/unpatched/

Finally, I would like to point out that Microsoft still has done a great job
in patching a lot of holes with this cumulative patch. Had they told the
public about the amount of holes that they were patching, I am sure we would
have understood the appareantly slow reaction somewhat better.

Regards
Thor Larholm
Jubii A/S - Internet Programmer