Microsoft Security Bulletin (MS00-098)
   
   Patch Available for Indexing Service File Enumeration Vulnerability
   
   Originally posted: December 19, 2000
   
Summary

   Microsoft has released a patch that eliminates a security
   vulnerability in a component that ships as part of Microsoft® Windows®
   2000. The vulnerability could allow a malicious web site operator to
   learn the names and properties of files and folders on the machine of
   a visiting user.
   
   Frequently asked questions regarding this vulnerability and the patch
   can be found at
   http://www.microsoft.com/technet/security/bulletin/fq00-098.asp
   
Issue

   An ActiveX control that ships as part of Indexing Service is
   incorrectly marked as safe for scripting, thereby enabling it to be
   executed by web site applications. The control at issue here could be
   used to enumerate files and folders, and to view their properties. It
   would not be necessary for Indexing Service to be running in order for
   the vulnerability to be exploited; however, if it were running, the
   control also could be used to search for files containing specific
   words. The vulnerability could not be used to read files, except via a
   fairly unlikely scenario discussed in detail in the FAQ. It could not
   be used under any conditions to change, add or delete information on
   the users computer.
   
   A patch has been provided for Indexing Service 3.0, but not for Index
   Server 2.0. This is primarily due to the different delivery vehicles
   for the two versions. Indexing Service 3.0 ships as part of all
   versions of Windows 2000; thus, the vulnerability could affect all
   Windows 2000 users. In contrast, Index Server 2.0 ships as part of the
   Windows NT 4.0 Option Pack; thus, to be affected by the vulnerability
   in Index Server 2.0, a webmaster would need to browse untrustworthy
   Internet sites from a web server, which is contrary to normal
   recommended practices.
   
Affected Software Versions

     * Index Server 2.0
     * Indexing Service 3.0
       
   Note: Index Server 2.0 ships as part of the Windows NT 4.0 Option
   Pack. Indexing Service 3.0 ships as part of all versions of Windows
   2000.
   
Patch Availability

     * Indexing Service 3.0:
       http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26595
       
   Note: As discussed in the FAQ, a patch has not been provided for Index
   Server 2.0, because this product should only be installed on web
   servers, which should never be used for browsing the Internet.
   
   Note: This patch can be applied to systems running Windows 2000 Gold
   or Service Pack 1. It will be included in Windows 2000 Service Pack 3.
   
   Note Additional security patches are available at the Microsoft
   Download Center 
   
More Information

   Please see the following references for more information related to
   this issue.
     * Frequently Asked Questions: Microsoft Security Bulletin MS00-098,
       http://www.microsoft.com/technet/security/bulletin/fq00-098.asp
     * Microsoft Knowledge Base article Q280838 discusses this issue and
       will be available soon.
     * Microsoft TechNet Security web site,
       http://www.microsoft.com/technet/security/default.asp
       
Obtaining Support on this Issue

   This is a fully supported patch. Information on contacting Microsoft
   Product Support Services is available at
   http://support.microsoft.com/support/contact/default.asp.
   
Revisions

     * December 19, 2000: Bulletin Created.
       
   THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
   "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
   WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
   SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
   WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
   OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
   OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   
     Last updated December 19, 2000
     © 2000 Microsoft Corporation. All rights reserved. Terms of use.