This update resolves the "Specialized Header" vulnerability in Internet Information Services (IIS) 5.0, which ships with Windows 2000. Download now to help prevent a malicious user from exploiting this vulnerability and causing your Web server to send the source code of .asp or .htr files to a visiting browser. Security recommendations advise against ever including sensitive information in .asp or .htr files.

IIS supports advanced file types such as .asp and .htr files, which are executed by a scripting engine on a server and are not sent to your browser, as .htm files are. IIS determines what scripting engine to use by checking file extensions. A malicious user could go to a Web site and add particular characters to the end of the Web site's URL, requesting further files within the site. IIS locates the correct advanced file, but does not recognize it as a file that needs processing by a scripting engine. Consequently, IIS sends the file to a browser as it does .htm files, revealing the file source code.

For additional information about this vulnerability, read Microsoft Security Bulletin MS00-058. (This site may be in English.)

1. Click Start, point to Settings and click Control Panel.
2. Double-click Add/Remove Programs.
3. Select Windows 2000 Hotfix (Pre-Sp1) [See Q265888 for more information] and click Change/Remove to uninstall.