Microsoft Security Bulletin (MS00-044)
Patch Available for "Absent Directory Browser Argument" Vulnerability
Originally Posted: July 14, 2000
Microsoft has released a patch that eliminates two security
vulnerabilities in Microsoft(r) Internet Information Server. In sum,
the vulnerabilities could allow a malicious user to stop the web
server from providing useful service, or to extract certain types of
information from it.
Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-044.asp
There are two vulnerabilities at issue here:
Microsoft believes that the most appropriate way to eliminate these
vulnerabilities is to remove the script mapping for HTR, as
discussed in the IIS 4.0 Security Checklist. Only customers with
business-critical HTR scripts should retain the functionality and
install the patch.
Note: The patch should only be installed by customers who have a
business-critical need for the .HTR functionality. Microsoft
recommends that all other customers disable the .HTR functionality
altogether, as discussed in the FAQ.
Note: Customers who choose to install the patch should also
strengthen the permissions on the /scripts/iisadmin folder in each
web site on the server, and ensure that only administrators can
access it.
Note: Additional security patches are available at the Microsoft
Download Center
Please see the following references for more information related to
this issue.
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at
http://support.microsoft.com/support/contact/default.asp.
Microsoft thanks the following customers for working with us to
protect customers:
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
Last Updated July 14, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.