XML Core Services patch (Q318203)

Summary
XMLHTTP Control Can Allow Access to Local Files. A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site. Impact of vulnerability: Attacker can read files on client system. Affected Software: Microsoft XML Core Services versions 2.6, 3.0, and 4.0. An affected version of Microsoft XML Core Services also ships as part of the following products: Microsoft Windows XP Microsoft Internet Explorer 6.0 Microsoft SQL Server 2000 (note: versions earlier than 2.6 are not affected files affected include msxml[2-4].dll and are found in the system32 directory. This might be false positive if you have earlier version) See http://www.microsoft.com/technet/security/bulletin/ms02-008.mspx