This update resolves the "Function Exposed via LDAP over SSL Could Enable Passwords to be Changed" security vulnerability in Windows 2000 Server and Windows 2000 Advanced Server, and is discussed in Microsoft Security Bulletin MS01-036. Download now to help prevent a malicious user from changing another user's domain password.

This vulnerability exists because the Lightweight Directory Access Protocol (LDAP) function, which allows users to change data attributes of directory principals, doesn't check the credentials of the user correctly, in the specific case where the directory principal is a user and the data attribute is the domain password. This could enable an attacker to change another user's domain password, including the administrator's password, without proper authorization.

Note This vulnerability only affects Windows 2000 servers that provide LDAP services over Secure Socket Layer (SSL).

For more information about this vulnerability, read Microsoft Security Bulletin MS01-036. (This site is in English).

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. Select Windows 2000 Hotfix (Pre SP3) [See Q299687 for more information], and then click Change/Remove to uninstall.