Microsoft Security has been notified of this but it has not yet been fully fixed and corrected. Some of the issues have not been fixed -at all- even after MS was notified by several people.
I have noticed on Windows XP Professional, with all the updates currently available, that I still find that
http://jscript.dk/Jumper/xploit/xmlhttp.asp is able to read local files such as C:\Windows\System.ini and c:\Windows\Win.ini although the security flaw was supposedly fixed by Microsoft's latest patch. Please attempt to verify this if possible on any WinXP system that's already had the supposedly-appropriate patch installed. I was able to read local files using the example exploit page on two Windows XP systems that have all
current patches installed. (including those at
http://members.aol.com/axcel216/web.htm#WXP , Windows Update, and http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp - including latest MSN/Windows Messenger installed. )
Additionally:
As you know, Windows (aka MSN) Messenger comes as part of Windows ME and Windows XP and is installed and loaded by default upon the completion of the installation of Windows. It is also therefore probable that this trend will continue in future versions of the Windows Operating System (WOS) from Microsoft. As you also know, there have recently been several security and privacy flaws/bugs/problems with IE 5.x - 6.x and also Windows/MSN Messenger. Most of these known vulnerabilities can be patched using Windows Update and the IE 5.x/6.x cummulative patch can be obtained at this location:
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp which fixes more than half a dozen security problems associated with IE 5.x/6.x However, Microsoft has also released an updated version of Windows/MSN Messenger (free at http://messenger.msn.com/ ) [currently 4.6.0076 is the latest build as of today's date]. This updated version which just came out includes additional security/privacy fixes/patches to help prevent unauthorized access/circumvention/impersonation and privacy violations, etc. I respectfully recommend that you add both of these items to your Windows OS System Updates/Patches pages, as I feel they are both critical and important updates that people need to utilize to protect themselves from these dangerous risks. A Windows/MSN Messenger vulnerability demonstration can be found at http://tom.me.uk/msn/demo.html and several unpatched IE security/privacy problems are described here: http://jscript.dk/unpatched/ - some still not patched/fixed by Microsoft, although some have been. I find it startling that Microsoft hasn't bothered to patch many of these vulnerabilities in such a long amount of time after they were reported to them. I do commend them for the patches they have released, however, their response time leaves something to be desired. And of course, these updates do no good if users do not know about and install them, so it is especially important to get the word out to the public. I have also discovered that Norton Antivirus 2002 with the latest definitions will detect and prevent from running one of the Windows/MSN Messenger privacy/security flaws, however, not all of them. I also, in agreement with Microsoft's instructions at http://messenger.msn.com/support/knownissues.asp
, strongly recommend users do not accept unknown files, especially from unknown sources, via e-mail, newsgroups, websites, and especially on Windows/MSN Messenger itself. I also have noticed on Windows XP Professional, with all the updates currently available, that I still find that http://jscript.dk/Jumper/xploit/xmlhttp.asp is able to read local files such as C:\Windows\System.ini and c:\Windows\Win.ini although the security flaw was supposedly fixed by Microsoft's latest IE patch. Please attempt to verify this if possible on any WinXP system you have, that's already had the supposedly-appropriate patches installed.
Also, for even more eye opening security/privacy flaws in Internet Explorer (5.x and 6.x, possibly others too) see: http://www.osioniusx.com .
You may have seen this already, but just incase, I suggest you might want to have a look at: http://www.osioniusx.com/ . Several more IE security flaws, appear to be unpatched in many cases. One can even add sites to your "Trusted Sites Zone" without knowledge/permission. Latest MS patch does not
appear to fix some of these on WinXP (possibly on other Windows OSes too). (For those just joining this e-mail conversation about MS Internet Explorer security flaws/privacy flaws, see: http://jscript.dk/unpatched/ also for more).
I have taken liberty to notify members of the press/media and the Internet/PC community of these issues, as have others. I've also made sure Microsoft Security is aware of them. Now I'm making sure you, the Internet user, is. I suggest you help all of your friends and family members, and people in chat rooms, e-mail, etc. to be warned about these serious issues. Panic isn't the answer, but spreading the knowledge and work-arounds/fixes is a good step in the right direction. Hopefully Microsoft will patch -ALL- of these flaws (and quickly) and any new ones that are found or that crop up later. I recommend adding the URLs above to your favorites or bookmarks for future reference. You may consider using another browser such as Netscape or Opera in the meantime - and keep that antivirus updated and a good firewall installed.
Respectfully,
CptSiskoX
Xteq Systems
http://www.xteq.com/
Home of Xteq X-Setup
I have noticed on Windows XP Professional, with all the updates currently available, that I still find that
http://jscript.dk/Jumper/xploit/xmlhttp.asp is able to read local files such as C:\Windows\System.ini and c:\Windows\Win.ini although the security flaw was supposedly fixed by Microsoft's latest patch. Please attempt to verify this if possible on any WinXP system that's already had the supposedly-appropriate patch installed. I was able to read local files using the example exploit page on two Windows XP systems that have all
current patches installed. (including those at
http://members.aol.com/axcel216/web.htm#WXP , Windows Update, and http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp - including latest MSN/Windows Messenger installed. )
Additionally:
As you know, Windows (aka MSN) Messenger comes as part of Windows ME and Windows XP and is installed and loaded by default upon the completion of the installation of Windows. It is also therefore probable that this trend will continue in future versions of the Windows Operating System (WOS) from Microsoft. As you also know, there have recently been several security and privacy flaws/bugs/problems with IE 5.x - 6.x and also Windows/MSN Messenger. Most of these known vulnerabilities can be patched using Windows Update and the IE 5.x/6.x cummulative patch can be obtained at this location:
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp which fixes more than half a dozen security problems associated with IE 5.x/6.x However, Microsoft has also released an updated version of Windows/MSN Messenger (free at http://messenger.msn.com/ ) [currently 4.6.0076 is the latest build as of today's date]. This updated version which just came out includes additional security/privacy fixes/patches to help prevent unauthorized access/circumvention/impersonation and privacy violations, etc. I respectfully recommend that you add both of these items to your Windows OS System Updates/Patches pages, as I feel they are both critical and important updates that people need to utilize to protect themselves from these dangerous risks. A Windows/MSN Messenger vulnerability demonstration can be found at http://tom.me.uk/msn/demo.html and several unpatched IE security/privacy problems are described here: http://jscript.dk/unpatched/ - some still not patched/fixed by Microsoft, although some have been. I find it startling that Microsoft hasn't bothered to patch many of these vulnerabilities in such a long amount of time after they were reported to them. I do commend them for the patches they have released, however, their response time leaves something to be desired. And of course, these updates do no good if users do not know about and install them, so it is especially important to get the word out to the public. I have also discovered that Norton Antivirus 2002 with the latest definitions will detect and prevent from running one of the Windows/MSN Messenger privacy/security flaws, however, not all of them. I also, in agreement with Microsoft's instructions at http://messenger.msn.com/support/knownissues.asp
, strongly recommend users do not accept unknown files, especially from unknown sources, via e-mail, newsgroups, websites, and especially on Windows/MSN Messenger itself. I also have noticed on Windows XP Professional, with all the updates currently available, that I still find that http://jscript.dk/Jumper/xploit/xmlhttp.asp is able to read local files such as C:\Windows\System.ini and c:\Windows\Win.ini although the security flaw was supposedly fixed by Microsoft's latest IE patch. Please attempt to verify this if possible on any WinXP system you have, that's already had the supposedly-appropriate patches installed.
Also, for even more eye opening security/privacy flaws in Internet Explorer (5.x and 6.x, possibly others too) see: http://www.osioniusx.com .
You may have seen this already, but just incase, I suggest you might want to have a look at: http://www.osioniusx.com/ . Several more IE security flaws, appear to be unpatched in many cases. One can even add sites to your "Trusted Sites Zone" without knowledge/permission. Latest MS patch does not
appear to fix some of these on WinXP (possibly on other Windows OSes too). (For those just joining this e-mail conversation about MS Internet Explorer security flaws/privacy flaws, see: http://jscript.dk/unpatched/ also for more).
I have taken liberty to notify members of the press/media and the Internet/PC community of these issues, as have others. I've also made sure Microsoft Security is aware of them. Now I'm making sure you, the Internet user, is. I suggest you help all of your friends and family members, and people in chat rooms, e-mail, etc. to be warned about these serious issues. Panic isn't the answer, but spreading the knowledge and work-arounds/fixes is a good step in the right direction. Hopefully Microsoft will patch -ALL- of these flaws (and quickly) and any new ones that are found or that crop up later. I recommend adding the URLs above to your favorites or bookmarks for future reference. You may consider using another browser such as Netscape or Opera in the meantime - and keep that antivirus updated and a good firewall installed.
Respectfully,
CptSiskoX
Xteq Systems
http://www.xteq.com/
Home of Xteq X-Setup