Microsoft Security Bulletin MS01-033
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
Originally posted: June 18, 2001
Updated: November 04, 2003
Who should read this bulletin:
System administrators of web servers using Microsoft® Windows NT® 4.0 or Windows® 2000.
Impact of vulnerability:
Run code of attacker's choice.
Microsoft strongly urges all web server administrators to apply the patch immediately.
- Microsoft Index Server 2.0
- Indexing Service in Windows 2000
Note: Indexing Service in versions of Windows XP prior to Release Candidate 1 is also affected by the vulnerability. As discussed in the FAQ, Microsoft is working directly with the small number of customers who are using a pre-RC1 beta version in production environments to provide remediation for them.
- Microsoft Knowledge Base article Q300972 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (June 18, 2001): Bulletin Created.
- V1.1 (June 18, 2001): List of superseded patches corrected to indicate that MS00-006 and MS01-025 are not superseded by the one provided in this bulletin.
- V1.2 (August 06, 2001): Updated specific beta information for Windows XP.
- V1.3 (August 20, 2001): Patch Availability section updated to indicate that the patch provided here has been superseded by the one provided in MS01-044.
- V1.4 (August 21, 2001): Released a version of the patch that can be installed on all Windows 2000 versions, including Gold, and updated Installation Platforms section to match.
- V1.5 (May 6, 2002): Bulletin updated to advise availability of Windows NT 4.0 Server, Terminal Server Edition Security Rollup Package.
- V1.6 (November 04, 2003): Updated links to Windows Update in Additional Information.