MS00-084: Update Available for Indexing Service Vulnerability (278499)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Index Server 2.0
This article was previously published under Q278499

SYMPTOMS

Microsoft has made an update available that addresses a potential security vulnerability that relates to the Webhits component (Webhits.dll) of the Windows 2000 and Windows NT 4.0 Indexing services. The vulnerability is the result of a feature in the Indexing service that allows users to specify alternate HTML to be used to highlight a match to query text. The feature lets users pass raw HTML as a parameter to a .htw file. This HTML is not escaped or scanned in any way. Because of this, users can then submit scripts embedded in the HTML. This vulnerability is known as Cross-Site Scripting (CSS). For more information about CSS, please see the "More Information" section of this article.

Note: The Indexing Service ships and installs with Windows 2000, but is not enabled by default. Users who are running web servers on Windows 2000 who have enabled Indexing Services are urged to apply this patch. The Indexing Service for Windows NT 4.0 ships with the NT Option Pack, and is not installed or enabled by default.

RESOLUTION

Windows 2000

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack 

The English-language version of this fix should have the following 
file attributes or later:

   Date       Time             Size     File name     Platform
   -----------------------------------------------------------
   10/31/2000 11:08am          42,768   Webhits.dll   i386

Indexing Server 2.0

The following files are available for download from the Microsoft Download Center:
All languages except Japanese NEC and Chinese - Hong Kong

DownloadDownload the 278499 package now.

Japanese NEC

DownloadDownload the 278499 package now.

Chinese - Hong Kong

DownloadDownload the 278499 package now.

Release Date: April 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version     Size    File name
   ---------------------------------------------------
   25-Feb-2003  06:53  5.0.1782.5  42,256  Webhits.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.

MORE INFORMATION

For more information about this vulnerability and the patch, please view the following Microsoft Web sites:

http://www.microsoft.com/technet/security/bulletin/fq00-084.mspx

http://www.microsoft.com/technet/security/bulletin/ms00-084.asp

On February 20, 2000, Microsoft and the Computer Emergency Response Team (CERT) Coordination Center published information about a newly-identified security vulnerability affected all Web server products. This vulnerability, known as Cross-Site Scripting (CSS), results when Web programs don't properly validate inputs before using them in dynamic Web pages. If a malicious Web site operator were able to lure a user to his site, and had identified a third-party Web site that was vulnerable to CSS, the malicious Web site operator could potentially use the vulnerability to "inject" script into a Web page that was created by the other Web site, which would then be delivered to the user. The effect of this would be to cause the malicious user's script to run on the user's computer by using the trust from the other site.

The vulnerability can affect any software that runs on a Web server, accepts user input, and "blindly" uses it to generate Web pages. Microsoft has identified a component within the Windows 2000 and Windows NT 4.0 Indexing services that is vulnerable to this scenario and is releasing a bulletin and a patch to correct the problem.
Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE KbSECVulnerability kbSecurity KbSECBulletin kbbug kbenv kbfix kbWin2000PreSP2Fix KB278499
©2004 Microsoft Corporation. All rights reserved.