Microsoft Product Support Services   All Products  |   Support  |   Search  |   microsoft.com Home  
microsoft.com
  Support Home  |   Find a Solution  |   Request Support  |   Custom Support  |

Patch Available for New Variant of the "Malformed Hit-Highlighting" Vulnerability


The information in this article applies to:
  • Microsoft Index Server version 2.0
  • Indexing Service


SYMPTOMS

A new variant of the Malformed Hit-Highlighting vulnerability has been discovered that affects both Index Server 2.0 and Indexing Service in Microsoft Windows 2000. The new variant has exactly the same scope as the original vulnerability. If an attacker provides an invalid search request, he or she can read files that reside on the Web server. The new patch eliminates all known variants of the vulnerability.

Mitigating Factors:

  • The vulnerability would only allow files to be read. File cannot be added, changed, or deleted through this vulnerability.


  • Server-side files should not contain sensitive data. If you follow this recommendation, there would be no sensitive data to compromise through this vulnerability.


  • The vulnerability would only allow files that reside on the Web server (and in the same logical drive as the server's root directory) to be read. It would not allow files elsewhere on the server, or files that reside on a remote server, to be read.



RESOLUTION

Indexing Service

A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems that are determined to be at risk of attack. Please evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. Please see the associated Microsoft Security Bulletin to help make this determination. This fix may receive additional testing at a later time, to further ensure product quality. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix as instructed below or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp
NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:
[GRAPHIC: Download]Download Q296185_w2k_sp3_x86_en.exe now
For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:
   Date        Time    Version        Size    File name
   ------------------------------------------------------
   04/12/2001  03:40p  5.0.2195.3498  42,768  Webhits.dll 

Index Server 2.0

A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems that are determined to be at risk of attack. Please evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. Please see the associated Microsoft Security Bulletin to help make this determination. This fix may receive additional testing at a later time, to further ensure product quality. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix as instructed below or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp
NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:
[GRAPHIC: Download]Download Q296185i.exe now
For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:
   Date        Time    Version     Size    File name
   ---------------------------------------------------
   04/12/2001  03:51p  5.0.1781.3  42,256  Webhits.dll 
NOTE: Due to file dependencies, this hotfix requires Microsoft Windows NT 4.0 Service Pack 4 or later.


STATUS

Microsoft has confirmed that this problem could result in some degree of security vulnerability in Indexing Service in Windows 2000 and Index Server 2.0.


MORE INFORMATION

For more information about this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-025.asp

Additional query words: security_patch

Keywords : kbWinNT400PreSP7Fix kbWin2000PreSP3Fix kbgraphxlinkcritical
Issue type : kbbug
Technology : kbIdxServSearch kbAudDeveloper kbIdxServ100 kbIdxServ200


Last Reviewed: June 1, 2001
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.


Article ID: Q296185

Last Reviewed:
June 1, 2001

Send to a friend

Provided by
Microsoft Product Support Services


Did the information in this article help answer your question?

Yes
No
Did not apply

Please provide additional comments about this information.
(255 character max)