This update resolves a new variant of the "File Fragment Reading via .htr" security vulnerability that is present in Internet Information Server (IIS) 4.0 with .htr enabled, and is discussed in Microsoft Security Bulletin MS01-004. Download now if you use .htr functionality, to prevent a malicious user from reading portions of certain files on your Web server.
The vulnerability exists because the ISAPI (Internet Services Application Programming Interface) extension that processes .htr files may be used incorrectly in processing server-side non-.htr files, such as Active Server Pages (ASP pages). If a malicious user requests a file from the server by using a specific type of malformed URL, this can cause IIS to use the ISAPI extension to process the file, even if it is not an .htr file. The ISAPI filter attempts to interpret the requested file as an .htr file, and although it will remove virtually everything but text from the file, portions of the text can be sent back to the malicious user.
The recommended method for eliminating this vulnerability is to disable the .htr functionality in IIS. If you have a business-critical reason to continue to use the .htr functionality, you should download the update, even if you have already installed previous updates that provide protection against the variants discussed in Microsoft Security Bulletins MS00-031 and MS00-044. (These sites are in English.)
Customers who have no reason to use the .htr functionality, and haven’t already disabled .htr, should do so rather than download this update. (Instructions for disabling .htr are provided in the Frequently Asked Questions section of Security Bulletin MS01-004).
Note This update has been revised as of February 2, 2001. Microsoft recommends that you install this version of the update.
For more information about this vulnerability, please read Microsoft Security Bulletin MS01-004. (This site is in English.)