Microsoft Security Bulletin MS00-006
Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability
Originally Posted: January 26, 2000
Revised: March 31, 2000
On January 26, 2000 Microsoft released the original version of this bulletin to announce the availability of a patch that eliminates two security vulnerabilities in Microsoft® Index Server. The first vulnerability could allow a malicious user to view -- but not to change, add or delete -- files on a web server. The second vulnerability could reveal where web directories are physically located on the server.
On February 04, 2000, a new variant of the second vulnerability was discovered, which was already eliminated by the patch. Microsoft updated this bulletin in order to advise customers of it, but customers who already applied the patch did not need to take any action.
On February 11, 2000, Microsoft re-released the Windows 2000 version of this patch to take advantage of improvements in the Hotfix packaging tool. These improvements enable the hotfix tool to detect the default language of the system, and also give users better inventory control based on the Knowledge Base article and Service Pack. Although the patch itself was not changed by this re-release, Microsoft nevertheless recommended that Windows 2000 customers apply the new version in order to ensure that the new tool was present on their systems.
On March 31, 2000, Microsoft re-released the Windows NT 4.0 version of this patch, to address a recently-discovered variant of the vulnerability. Only the Windows NT 4.0 patch was affected by the new variant.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-006.mspx
Please see the following references for more information related to this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-006, http://www.microsoft.com/technet/security/bulletin/fq00-006.mspx.
- Microsoft Knowledge Base (KB) article 251170, Malformed Argument in Hit-Highlighting Request Allows Access to Web Server Files, http://support.microsoft.com/default.aspx?scid=kb;en-us;251170.
- Microsoft Knowledge Base (KB) article 252463, Index Server Error Message Reveals Physical Location of Web Directories, http://support.microsoft.com/default.aspx?scid=kb;en-us;252463.
- Microsoft TechNet Security web site.
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
Microsoft thanks David Litchfield of Cerberus Information Security, Ltd for reporting the "Malformed Hit-Highlighting Argument" vulnerability to us and working with us to protect customers.
- January 26, 2000: Bulletin Created.
- February 04, 2000: Bulletin revised to provide additional detail about Indexing Services, and to discuss an additional variant of the "Malformed Hit-Highlighting Argument" vulnerability that is eliminated by the original patch.
- February 11, 2000: Bulletin revised to reflect availability of patch for Windows 2000 with new version of Hotfix.exe
- March 31, 2000: Bulletin revised to discuss new variant of "Malformed Hit Highlighting Argument" vulnerability affecting Windows NT 4.0.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.