Microsoft Windows NT Server Home   All Products  |   Support  |   Search  | Home  
  Windows Home Pages  |   Downloads  |   Support  |   Sitemap  |
Enter a search phrase:
Windows NT Server 4.0 | Downloads

Security Update, February 2, 2001

Select your language from the drop-down list below and click Next.


Read Me First

This update resolves a new variant of the "File Fragment Reading via .htr" security vulnerability that is present in Internet Information Server (IIS) 4.0 with .htr enabled, and is discussed in Microsoft Security Bulletin MS01-004. Download now if you use .htr functionality, to prevent a malicious user from reading portions of certain files on your Web server.

The vulnerability exists because the ISAPI (Internet Services Application Programming Interface) extension that processes .htr files may be used incorrectly in processing server-side non-.htr files, such as Active Server Pages (ASP pages). If a malicious user requests a file from the server by using a specific type of malformed URL, this can cause IIS to use the ISAPI extension to process the file, even if it is not an .htr file. The ISAPI filter attempts to interpret the requested file as an .htr file, and although it will remove virtually everything but text from the file, portions of the text can be sent back to the malicious user.

The recommended method for eliminating this vulnerability is to disable the .htr functionality in IIS. If you have a business-critical reason to continue to use the .htr functionality, you should download the update, even if you have already installed previous updates that provide protection against the variants discussed in Microsoft Security Bulletins MS00-031 and MS00-044. (These sites are in English.)

Customers who have no reason to use the .htr functionality, and haven’t already disabled .htr, should do so rather than download this update. (Instructions for disabling .htr are provided in the Frequently Asked Questions section of Security Bulletin MS01-004).

Note This update has been revised as of February 2, 2001. Microsoft recommends that you install this version of the update.

For more information about this vulnerability, please read Microsoft Security Bulletin MS01-004.

System Requirements

This update applies to Internet Information Server (IIS) 4.0 with the .htr functionality enabled.

How to download and install

  1. Select your language from the drop-down list above.
  2. Click Next.
  3. On the following page, click Download Now.
  4. Do one of the following:
    • To start the installation immediately, select Run this Program from its Current Location.
    • To copy the download to your computer for installation at a later time, select Save this Program to Disk.
  5. Click OK.

Note Some languages also include a symbols package for this update. This package is recommended for system administrators and other advanced users, and is used to diagnose Windows NT® 4.0 system problems and is not required for proper operation of your computer.

How to use

Restart your computer to complete the installation.

How to uninstall

  1. Click Start, point to Settings and click Control Panel.
  2. Double-click Add/Remove Programs.
  3. Select Windows NT 4.0 Hotfix [See Q285985 for more information], and click Add/Remove to uninstall.

 Last Updated: Monday, May 21, 2001
 © 2001 Microsoft Corporation. All rights reserved. Terms of Use.