This update resolves the "IIS Cross-Site Scripting" security vulnerability in Internet Information Services (IIS) 5.0 and Internet Information Server (IIS) 4.0. This vulnerability could enable a malicious user to run code on another user's computer, disguised as a third-party Web site. If a malicious user exploits this vulnerability successfully, a Web site hosted by your server can be used to run code, forward information, and read or write cookies on the computer of any visiting user. Download now to prevent a malicious user from introducing code on your Web server and returning that code as a Web page (hosted by your server) to visiting browsers.

Note This update only resolves the vulnerability found in IIS. Microsoft recommends that customers who host Web sites contact the suppliers of the software programs that run on their servers, and verify that the vendor has reviewed each software program for Cross-Site Scripting vulnerabilities. Static Web pages cannot be exploited by this vulnerability; customers whose Web servers only supply static content do not need to install this update.

This vulnerability does not allow a malicious operator to add, change, or delete any content on your Web site.

Any software running on a Web server is vulnerable if it:

• Solicits input from the user.
• Uses the input blindly, without performing validity checks.
• Incorporates user input into a dynamic Web page that is sent to a visiting computer.

For more information on this vulnerability, please read Microsoft Security Bulletin MS00-060. (This site is in English.)

• Internet Information Server 4.0
• Internet Information Services 5.0

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. Select Windows 2000 Hotfix (Pre-SP2) [See Q275657 for more information] and click Change/Remove to uninstall.