This update resolves the "Session ID Cookie Marking" security vulnerability in Internet Information Server (IIS) 4.0 and Internet Information Services (IIS) 5.0. Secure Sockets Layer (SSL)-protected Active Server Pages (.asp files) cannot mark Session ID cookies "encrypted cookies" because .asp files in IIS do not support the creation of SSL-secured Session ID cookies. Consequently, SSL-secured and non-secure pages on the same Web site use the same session ID. This vulnerability enables a malicious user to connect to the SSL-secured Web page you're viewing, assume your identity, and place orders or view your personal information. Download now to help prevent a malicious user from obtaining your Session ID and connecting to your SSL-protected session.

This update eliminates the vulnerability by adding support for SSL-secured Session ID cookies in .ASP Web pages.

For more information about this vulnerability, please read Microsoft Security Bulletin MS00-080. (This site is in English.)

• Windows 2000
• Microsoft Internet Information Server 4.0
• Microsoft Internet Information Services 5.0

1. Click Start, point to Settings and then click Control Panel.
2. Double-click Add/Remove Programs.
3. Select Windows 2000 Hotfix (Pre-Sp2) [See Q274149 for more information] and click Add/Remove (Change/Remove in Windows 2000).