manunkind
December 19, 2000, 11:04 pm
Microsoft Security Bulletin (MS00-09http://www.helpfromtechs.com/ubb/smilies/cool.gif
Patch Available for “Indexing Service File Enumeration” Vulnerability
Originally posted: December 19, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in a component that ships as part of Microsoft® Windows® 2000. The vulnerability could allow a malicious web site operator to learn the names and properties of files and folders on the machine of a visiting user.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-098.asp
Issue
An ActiveX control that ships as part of Indexing Service is incorrectly marked as “safe for scripting”, thereby enabling it to be executed by web site applications. The control at issue here could be used to enumerate files and folders, and to view their properties. It would not be necessary for Indexing Service to be running in order for the vulnerability to be exploited; however, if it were running, the control also could be used to search for files containing specific words. The vulnerability could not be used to read files, except via a fairly unlikely scenario discussed in detail in the FAQ. It could not be used under any conditions to change, add or delete information on the user’s computer.
A patch has been provided for Indexing Service 3.0, but not for Index Server 2.0. This is primarily due to the different delivery vehicles for the two versions. Indexing Service 3.0 ships as part of all versions of Windows 2000; thus, the vulnerability could affect all Windows 2000 users. In contrast, Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack; thus, to be affected by the vulnerability in Index Server 2.0, a webmaster would need to browse untrustworthy Internet sites from a web server, which is contrary to normal recommended practices.
Affected Software Versions
Index Server 2.0
Indexing Service 3.0
Note: Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack. Indexing Service 3.0 ships as part of all versions of Windows 2000.
Patch Availability
Indexing Service 3.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26595
Note: As discussed in the FAQ, a patch has not been provided for Index Server 2.0, because this product should only be installed on web servers, which should never be used for browsing the Internet.
Note: This patch can be applied to systems running Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 3.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)
Patch Available for “Indexing Service File Enumeration” Vulnerability
Originally posted: December 19, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in a component that ships as part of Microsoft® Windows® 2000. The vulnerability could allow a malicious web site operator to learn the names and properties of files and folders on the machine of a visiting user.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-098.asp
Issue
An ActiveX control that ships as part of Indexing Service is incorrectly marked as “safe for scripting”, thereby enabling it to be executed by web site applications. The control at issue here could be used to enumerate files and folders, and to view their properties. It would not be necessary for Indexing Service to be running in order for the vulnerability to be exploited; however, if it were running, the control also could be used to search for files containing specific words. The vulnerability could not be used to read files, except via a fairly unlikely scenario discussed in detail in the FAQ. It could not be used under any conditions to change, add or delete information on the user’s computer.
A patch has been provided for Indexing Service 3.0, but not for Index Server 2.0. This is primarily due to the different delivery vehicles for the two versions. Indexing Service 3.0 ships as part of all versions of Windows 2000; thus, the vulnerability could affect all Windows 2000 users. In contrast, Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack; thus, to be affected by the vulnerability in Index Server 2.0, a webmaster would need to browse untrustworthy Internet sites from a web server, which is contrary to normal recommended practices.
Affected Software Versions
Index Server 2.0
Indexing Service 3.0
Note: Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack. Indexing Service 3.0 ships as part of all versions of Windows 2000.
Patch Availability
Indexing Service 3.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26595
Note: As discussed in the FAQ, a patch has not been provided for Index Server 2.0, because this product should only be installed on web servers, which should never be used for browsing the Internet.
Note: This patch can be applied to systems running Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 3.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)