This update addresses the "Malformed Hit-Highlighting" security vulnerability in Windows 2000 computers running Indexing Service, and is discussed in Microsoft Security Bulletin MS01-025. Download now to help prevent a malicious user from reading files on your Web server.

When you conduct a search using Indexing Serice, the hit-highlighting function provides search results that highlight portions of documents that satisfy your search query. This vulnerability exists because Indexing Service doesn't set the correct parameters for hit-highlighting search requests. If a malicious user provides a specific type of malformed request, it retrieves files on the server, regardless of the permissions that have been set by the administrator.

By design, the hit-highlighting feature allows the user to specify the name of the document to be hit-highlighted. The user should only be able to request documents within the server's virtual directories; however, if a specific type of malformed argument is provided, it can be used to request a file by its physical location on the drive.

For more information about this vulnerability, read Microsoft Security Bulletin MS01-025. (This site is in English.)

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. Click Windows 2000 Hotfix (Pre-SP3) [See Q296185 for more information], and then click Change/Remove to uninstall.