TechNet Home Page   All Products  |   Support  |   Search  | Home  
  TechNet Home  |   Site Map  |   Events  |   Downloads  |   Worldwide  |   Advanced Search  |
Top IT Tasks
Search TechNet

See What's New
Search the KB
Join a Newsgroup
Find User Groups
Subscribe to TechNet
Attend an Event
Free Newsletter

Questions or Comments?Questions or Comments?

TechNet Editor's NoteEditor's Note
So, what are you searching for?

Microsoft Security Bulletin MS01-026

Superfluous Decoding Operation Could Allow Command Execution via IIS

Originally posted: May 14, 2001


Who should read this bulletin: System administrators using Microsoft® Internet Information Server 4.0 or Internet Information Services 5.0

Impact of vulnerability: Three vulnerabilities: Code execution; denial of service, information disclosure.

Recommendation: System administrators should apply the patch to all machines running IIS 4.0 or 5.0 immediately.

Affected Software:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0

Technical details

Frequently asked questions

Patch availability

Download locations for this patch

Additional information about this patch

Other information:


Microsoft thanks  the following people for working with us to protect customers:


  • Microsoft Knowledge Base articles Q293826, Q295534, Q294370 and Q288855 discuss this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • V1.0 (May 14, 2001): Bulletin Created.
  • V1.1 (May 15, 2001): Caveats section updated to advise customers that disabling WebDAV will prevent the patch from updating httpext.dll, and to advise that the patch disables UPN-style logons via FTP.

Send this document
to a colleague

Contact Microsoft Security

  Last updated May 15, 2001
  © 2001 Microsoft Corporation. All rights reserved. Terms of use.