The .htr files are scripts that can be used in Windows 2000 to change passwords, and thatadministrators can use to perform a variety of password administration functions. Neither of these vulnerabilities allow data to be changed, added, or deleted on the server, nor does either allow administrative control over the affected computer.

Details about the two vulnerabilities that are addressed in this update:

• The “Absent Directory Browser Argument” vulnerability. An administrative script that was installed as part of IIS 3.0, and that is preserved on upgrade to IIS 4.0 or IIS 5.0, does not correctly handle the case where an expected argument is missing. The absence of the argument causes the script to go into an infinite loop, at which point the script consumes all CPU resources on the server. In addition, the permissions on this tool and several related ones, which were appropriate under IIS 3.0, are inappropriate under IIS 5.0. This could allow Web site visitors to use these tools, which provide the ability to view the directory structure on the server.
• A new variant on the “File Fragment Reading via .htr” vulnerability. The original version of this vulnerability was discussed in Microsoft Security Bulletin MS00-031. (This site is in English.) The new vulnerability differs only in the specific way that it could be exploited. Like the original version, the effect of the vulnerability is that fragments of .asp and other files could potentially be retrieved from the server. As in the original version, the mechanics of the new variant make it likely that the parts of an .asp file most interesting to a malicious user would be stripped out.

For more information about these vulnerabilities, read Microsoft Security Bulletin MS00-044. (This site is in English.)

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. Select Windows 2000 Hotfix [See Q267560 for more information], and then click Change/Remove to uninstall.