Microsoft Security has been notified of this but it has not yet been fully fixed and corrected. Some of the issues have not been fixed -at all- even after MS was notified by several people.

I have noticed on Windows XP Professional, with all the updates currently available, that I still find that
http://jscript.dk/Jumper/xploit/xmlhttp.asp is able to read local files such as C:\Windows\System.ini and c:\Windows\Win.ini although the security flaw was supposedly fixed by Microsoft's latest patch. Please attempt to verify this if possible on any WinXP system that's already had the supposedly-appropriate patch installed. I was able to read local files using the example exploit page on two Windows XP systems that have all
current patches installed. (including those at
http://members.aol.com/axcel216/web.htm#WXP , Windows Update, and http://www.microsoft.com/windows/ie/...59/default.asp - including latest MSN/Windows Messenger installed. )

Additionally:

As you know, Windows (aka MSN) Messenger comes as part of Windows ME and Windows XP and is installed and loaded by default upon the completion of the installation of Windows. It is also therefore probable that this trend will continue in future versions of the Windows Operating System (WOS) from Microsoft. As you also know, there have recently been several security and privacy flaws/bugs/problems with IE 5.x - 6.x and also Windows/MSN Messenger. Most of these known vulnerabilities can be patched using Windows Update and the IE 5.x/6.x cummulative patch can be obtained at this location:
http://www.microsoft.com/windows/ie/...59/default.asp which fixes more than half a dozen security problems associated with IE 5.x/6.x However, Microsoft has also released an updated version of Windows/MSN Messenger (free at http://messenger.msn.com/ ) [currently 4.6.0076 is the latest build as of today's date]. This updated version which just came out includes additional security/privacy fixes/patches to help prevent unauthorized access/circumvention/impersonation and privacy violations, etc. I respectfully recommend that you add both of these items to your Windows OS System Updates/Patches pages, as I feel they are both critical and important updates that people need to utilize to protect themselves from these dangerous risks. A Windows/MSN Messenger vulnerability demonstration can be found at http://tom.me.uk/msn/demo.html and several unpatched IE security/privacy problems are described here: http://jscript.dk/unpatched/ - some still not patched/fixed by Microsoft, although some have been. I find it startling that Microsoft hasn't bothered to patch many of these vulnerabilities in such a long amount of time after they were reported to them. I do commend them for the patches they have released, however, their response time leaves something to be desired. And of course, these updates do no good if users do not know about and install them, so it is especially important to get the word out to the public. I have also discovered that Norton Antivirus 2002 with the latest definitions will detect and prevent from running one of the Windows/MSN Messenger privacy/security flaws, however, not all of them. I also, in agreement with Microsoft's instructions at http://messenger.msn.com/support/knownissues.asp
, strongly recommend users do not accept unknown files, especially from unknown sources, via e-mail, newsgroups, websites, and especially on Windows/MSN Messenger itself. I also have noticed on Windows XP Professional, with all the updates currently available, that I still find that http://jscript.dk/Jumper/xploit/xmlhttp.asp is able to read local files such as C:\Windows\System.ini and c:\Windows\Win.ini although the security flaw was supposedly fixed by Microsoft's latest IE patch. Please attempt to verify this if possible on any WinXP system you have, that's already had the supposedly-appropriate patches installed.

Also, for even more eye opening security/privacy flaws in Internet Explorer (5.x and 6.x, possibly others too) see: http://www.osioniusx.com .

You may have seen this already, but just incase, I suggest you might want to have a look at: http://www.osioniusx.com/ . Several more IE security flaws, appear to be unpatched in many cases. One can even add sites to your "Trusted Sites Zone" without knowledge/permission. Latest MS patch does not
appear to fix some of these on WinXP (possibly on other Windows OSes too). (For those just joining this e-mail conversation about MS Internet Explorer security flaws/privacy flaws, see: http://jscript.dk/unpatched/ also for more).

I have taken liberty to notify members of the press/media and the Internet/PC community of these issues, as have others. I've also made sure Microsoft Security is aware of them. Now I'm making sure you, the Internet user, is. I suggest you help all of your friends and family members, and people in chat rooms, e-mail, etc. to be warned about these serious issues. Panic isn't the answer, but spreading the knowledge and work-arounds/fixes is a good step in the right direction. Hopefully Microsoft will patch -ALL- of these flaws (and quickly) and any new ones that are found or that crop up later. I recommend adding the URLs above to your favorites or bookmarks for future reference. You may consider using another browser such as Netscape or Opera in the meantime - and keep that antivirus updated and a good firewall installed.

Respectfully,

CptSiskoX
Xteq Systems
http://www.xteq.com/
Home of Xteq X-Setup

Thanks for the Info CptSiskoX !

I personally think M$'s security policies are far from acceptable. As far as them prioritizing Security as their number 1 goal, I'm greatly dissappointed by their lack of results.

As of today's date, Microsoft has patched most of the (if not all of the) security holes and flaws I mentioned in my original post. However, several that have since been discovered are as of yet unpatched. Hopefully, MS will continue to take seriously and act quickly to resolve the additional security problems, both now and in the future. MS is aware of them, and hopefully planning to issue fixes. It is noteworthy to mention that MS neglected to fix several of the flaws until the media picked up on them - and ignored user reports of security flaws, etc. until it was publicly thrown in their face. Sometimes apparently, public pressure is the only way to keep some companies doing the right thing. My feeling on this is, granted some security flaws may be minor, but some of the ones listed were fairly serious, and others quite serious... but MS (or any software company) should not ignore security problems, no matter how insignificant they might deem them - problems are problems and need to be fixed properly, and in a timely, professional manner. A good site I recommend is: http://jscript.dk/unpatched/ (I encourage everyone to add it to Favorites or Bookmarks, etc.) You might want to e-mail the site author if you discover any additional security issues with Microsoft software, especially Internet Explorer. And check Windows Update often. I also recommend LockerGnome Windows Daily (free http://www.lockergnome.com) and Fred Langa's newsletter (free http://www.langa.com). Both are excellent and feature security tips and info, along with good downloads, links to patches, etc. Also be sure to e-mail security flaws you discover to the software vendor (especially Microsoft) at secure@microsoft.com for instance.

What scares me is that every time I go to Windows update, there's always either a fix for Internet Explorer or Windows security. It's kind of like a never ending flow of security problems; as soon as they fix one thing someone finds something else that's wrong.