This update resolves the "File Permission Canonicalization" security vulnerability in Internet Information Server 4.0 (IIS 4.0) and Internet Information Services 5.0 (IIS 5.0). Download now to help prevent a malicious user from gaining permission to use Internet Server Application Programming Interface (ISAPI) files hosted on a Web server. This vulnerability does not affect static Web pages or non-Web file types such as .exe, .doc, or .bat.
A canonicalization error can, under certain conditions, cause IIS 4.0 or IIS 5.0 to apply incorrect permissions to certain types of files. If an affected file resides in a folder with restrictive permissions and the file is requested via a particular type of malformed URL, the permissions actually used are those of a folder in the file's parentage chain, but not those of the folder the file actually resides in. If the ancestor folder's permissions are more permissive than those of the correct folder, the malicious user can gain additional privileges to the affected file. The vulnerability can be exploited only under very specific conditions:
For more information about this vulnerabily, read Microsoft Security Bulletin MS00-057. (This site is in English.)