Microsoft Security Bulletin MS00-098 - Important
Patch Available for 'Indexing Service File Enumeration' Vulnerability
Published: December 19, 2000 | Updated: April 19, 2001
Originally posted: December 19, 2000
Microsoft has released a patch that eliminates a security vulnerability in a component that ships as part of Microsoft® Windows® 2000. The vulnerability could allow a malicious web site operator to learn the names and properties of files and folders on the machine of a visiting user.
- Index Server 2.0
- Indexing Service 3.0
Note: Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack. Indexing Service 3.0 ships as part of all versions of Windows 2000.
An ActiveX control that ships as part of Indexing Service is incorrectly marked as "safe for scripting", thereby enabling it to be executed by web site applications. The control at issue here could be used to enumerate files and folders, and to view their properties. It would not be necessary for Indexing Service to be running in order for the vulnerability to be exploited; however, if it were running, the control also could be used to search for files containing specific words. The vulnerability could not be used to read files, except via a fairly unlikely scenario discussed in detail in the FAQ. It could not be used under any conditions to change, add or delete information on the user's computer.
A patch has been provided for Indexing Service 3.0, but not for Index Server 2.0. This is primarily due to the different delivery vehicles for the two versions. Indexing Service 3.0 ships as part of all versions of Windows 2000; thus, the vulnerability could affect all Windows 2000 users. In contrast, Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack; thus, to be affected by the vulnerability in Index Server 2.0, a webmaster would need to browse untrustworthy Internet sites from a web server, which is contrary to normal recommended practices.
What's this bulletin about?
Microsoft Security Bulletin MS00-098 announces the availability of a patch that eliminates a vulnerability in a service that ships as part of Microsoft® Windows® 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could enable a malicious web site operator to write a web application that could gather information about files on a visiting user's computer. Among the information the application could gather are the names and properties of folders and files on the user's machine. If Indexing Service were running, rather than just installed, the application also could use the vulnerability to search for files containing specific words.
The vulnerability does not provide any way to read the contents of files, except via a procedure that, as discussed below, is unlikely to be possible in most realistic cases. There is no capability to add, change or delete information on the user's computer via this vulnerability.
What causes the vulnerability?
An ActiveX control that ships as part of Indexing Service is incorrectly marked as "safe for scripting". The control allows files and folders to be enumerated; because it's marked safe for scripting, a web application could invoke it if a user visited the site using an affected machine.
What is Indexing Service?
Microsoft Indexing Service is a service that provides a means of quickly searching for files on the machine. The most familiar usage of the service is on web servers, where it provides the functionality behind site searches. However, Index Service 3.0 ships as part of all versions of Windows 2000 Server, so all Windows 2000 users could potentially be affected by the vulnerability.
Prior to Windows 2000, Indexing Service was known as Index Server. Index Server 2.0, which ships as part of the Windows NT 4.0 Option Pack, also is affected by the vulnerability. However, as discussed below, customers who follow recommended operational procedures could not be affected by it. Because of this, we've discussed the vulnerability primarily as it affects Indexing Service.
What's wrong with Indexing Service?
There's nothing wrong with the service itself. The vulnerability results because an ActiveX control that ships with Indexing Service is incorrectly marked as "safe for scripting". This allows it to be invoked by applications on web sites. The control provides functionality that would enable a web application to list file and folder names, and potentially learn other information as well.
What does "safe for scripting" mean?
Whenever a developer writes an ActiveX control, she needs to indicate whether or not the control can be safely called by a program on a web site. Web sites can potentially be operated by malicious people, so a control should only be callable by a site if its functionality cannot be misused to harm visitors to the site.
By marking a control "safe for scripting", the developer makes an assertion that the control is safe for use by web sites. Any control that isn't marked as "safe for scripting" can only be used by programs that run on the user's machine. The problem in this case is that an ActiveX control that ships with Indexing Service is incorrectly marked as "safe for scripting".
What would the control allow a web site to do?
The control could be used to perform two tasks:
- It would allow a web application to enumerate files and folders on the user's machine. This would enable the malicious web site operator to learn the names of the files and folders, and to view their properties.
- If Indexing Service were running on the user's machine, the control could be used to search files on the machine, and return a list of the ones that contain particular words.
What kind of information could a malicious web site operator learn by viewing file properties?
At a minimum, he could learn the date on which the file was created and the date when it was last modified. If information such as the title, creator's name, and subject had been stored, the malicious web site operator could read it as well. This information is not typically stored as part of text files and executable files, but it is generally stored as part of Office files.
Could the malicious web site operator read the files?
Not directly. The control would not enable the web application to open the file and simply read its contents. It only allows the files to be enumerated.
However, if Indexing Service were running on the user's machine, a roundabout method could be used under very unusual conditions to gain the file contents. If the web site operator performed a search on the user's machine for every word in the dictionary, he could compile a listing of the files that contain each word, and where in the file the word resides. He could then use this information to reconstruct the files. However, this clearly would take an extraordinary amount of time, and it is very unlikely that a visitor to a web site would stay connected to the site long enough for this to done successfully.
Is Indexing Service running by default on Windows 2000 machines?
No. Although it is installed by default as part of all versions of Windows 2000, it does not run by default.
Could this vulnerability be used to change data on the user's machine?
No. It could only be used to read data. There is no capability to add, change or delete data via the control.
Is the control present on all Windows 2000 machines?
Yes. The control ships as part of Indexing Service, and is installed by default on all Windows 2000 machines, regardless of whether Indexing Service is running or not.
Does this vulnerability represent a flaw in the ActiveX technology?
No. The vulnerability exists because a particular ActiveX control was incorrectly marked. There is no flaw in the ActiveX technology.
Why is there a patch for Indexing Service, but not for Index Server?
Although the vulnerability does affect both Indexing Service and Index Server, the difference in the way the two versions ships makes a radical difference in the risk the vulnerability poses.
- Every copy of Windows 2000 includes Indexing Service, so every Windows 2000 user is potentially affected by the vulnerability. As a result, we've provided a patch to eliminate the vulnerability in Indexing Service.
- In contrast, Index Server only ships as part of the Windows NT 4.0 Option Pack - it does not ship by default as part of any operating system. Moreover, the Option Pack is only intended for installation on web servers (indeed, it's the delivery vehicle for IIS 4.0). Thus, a user could only be affected by the Index Server vulnerability if he used his web server to browse untrustworthy Internet sites, which clearly is contrary to safe computing practices.
Who should use the patch?
Microsoft recommends that Windows 2000 users consider installing the patch on any machine used for web browsing.
What does the patch do?
The patch eliminates the vulnerability by removing the "safe for scripting" marking on the control.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Indexing Service 3.0:
Note: As discussed in the FAQ, a patch has not been provided for Index Server 2.0, because this product should only be installed on web servers, which should never be used for browsing the Internet.
Note: This patch can be applied to systems running Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 2.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q280838, http://support.microsoft.com/default.aspx?scid=kb;en-us;280838&sd=tech
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- December 19, 2000: Bulletin Created.
- April 19, 2001: Bulletin corrected to note that the fix is included in Windows 2000 Service Pack 2
Built at 2014-04-18T13:49:36Z-07:00