Select your language from the drop-down list below and
Read Me First
This update resolves a new variant of the "File Fragment
Reading via .htr" security vulnerability that is present in
Internet Information Server (IIS) 4.0 with .htr enabled, and
is discussed in Microsoft Security Bulletin MS01-004. Download
now if you use .htr functionality, to prevent a malicious user
from reading portions of certain files on your Web server.
The vulnerability exists because the ISAPI (Internet
Services Application Programming Interface) extension that
processes .htr files may be used incorrectly in processing
server-side non-.htr files, such as Active Server Pages (ASP
pages). If a malicious user requests a file from the server by
using a specific type of malformed URL, this can cause IIS to
use the ISAPI extension to process the file, even if it is not
an .htr file. The ISAPI filter attempts to interpret the
requested file as an .htr file, and although it will remove
virtually everything but text from the file, portions of the
text can be sent back to the malicious user.
The recommended method for eliminating this vulnerability
is to disable the .htr functionality in IIS. If you have a
business-critical reason to continue to use the .htr
functionality, you should download the update, even if you
have already installed previous updates that provide
protection against the variants discussed in Microsoft
Security Bulletins MS00-031
(These sites are in English.)
Customers who have no reason to use the .htr functionality,
and haven’t already disabled .htr, should do so rather than
download this update. (Instructions for disabling .htr are
provided in the Frequently
Asked Questions section of Security Bulletin
Note This update has been revised as of February 2,
2001. Microsoft recommends that you install this version of
For more information about this vulnerability, please read
Microsoft Security Bulletin MS01-004.
This update applies to Internet Information Server (IIS)
4.0 with the .htr functionality enabled.
How to download and install
- Select your language from the drop-down list above.
- Click Next.
- On the following page, click Download Now.
- Do one of the following:
- To start the installation immediately, select Run
this Program from its Current Location.
- To copy the download to your computer for installation
at a later time, select Save this Program to Disk.
- Click OK.
Note Some languages also include a symbols package
for this update. This package is recommended for system
administrators and other advanced users, and is used to
diagnose Windows NT® 4.0 system problems and is not required
for proper operation of your computer.
How to use
Restart your computer to complete the installation.
How to uninstall
- Click Start, point to Settings and click
- Double-click Add/Remove Programs.
- Select Windows NT 4.0 Hotfix [See Q285985 for more
information], and click Add/Remove to uninstall.