Microsoft KB Archive/299872

= Additional information pertaining to patch MS01-026 =

Article ID: 299872

Article Last Modified on 7/18/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q299872



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
This Knowledge Base article contains comprehensive and pertinent information pertaining to patch MS01-026. It indexes the previous patches that have been included in this patch, discusses how to verify the presence of the patch on your server, and also includes other useful information.



Installation platforms
The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 5 or Windows NT 4.0 Service Pack 6a.

Service Pack 5

http://www.microsoft.com/technet/archive/downloads/winnt.mspx

Service Pack 6a

http://www.microsoft.com/downloads/details.aspx?FamilyID=e396d059-e402-46ef-b095-a74399e25737&DisplayLang=en

The IIS 5.0 patch can be installed on systems running Windows 2000 Gold, Windows 2000 Service Pack 1, and Windows 2000 Service Pack 2.

Service Pack 1

http://www.microsoft.com/windows2000/downloads/servicepacks/sp1/default.mspx

Inclusion in future service packs
The fix for this issue will be included in the upcoming security roll-up for Windows NT and in Windows 2000 Service Pack 3.

Superseded patches
The IIS 4.0 patch supersedes those that are provided in the following security bulletins:  Microsoft Security Bulletin MS01-004

http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx

 Microsoft Security Bulletin MS00-100

http://www.microsoft.com/technet/security/bulletin/MS00-100.mspx

 Microsoft Security Bulletin MS00-086

http://www.microsoft.com/technet/security/bulletin/MS00-086.mspx

 Microsoft Security Bulletin MS00-080

http://www.microsoft.com/technet/security/bulletin/MS00-080.mspx

 Microsoft Security Bulletin MS00-078

http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx

 Microsoft Security Bulletin MS00-063

http://www.microsoft.com/technet/security/bulletin/MS00-063.mspx

</li> Microsoft Security Bulletin MS00-060

http://www.microsoft.com/technet/security/bulletin/MS00-060.mspx

</li> Microsoft Security Bulletin MS00-057

http://www.microsoft.com/technet/security/bulletin/MS00-057.mspx

</li> Microsoft Security Bulletin MS00-044

http://www.microsoft.com/technet/security/bulletin/MS00-044.mspx

</li> Microsoft Security Bulletin MS00-031

http://www.microsoft.com/technet/security/bulletin/MS00-031.mspx

</li> Microsoft Security Bulletin MS00-030

http://www.microsoft.com/technet/security/bulletin/MS00-030.mspx

</li> Microsoft Security Bulletin MS00-023

http://www.microsoft.com/technet/security/bulletin/MS00-023.asp

</li> Microsoft Security Bulletin MS00-019

http://www.microsoft.com/technet/security/bulletin/MS00-019.asp

</li> Microsoft Security Bulletin MS00-018

http://www.microsoft.com/technet/security/bulletin/MS00-018.asp

</li> Microsoft Security Bulletin MS99-061

http://www.microsoft.com/technet/security/bulletin/MS99-061.asp

</li> Microsoft Security Bulletin MS99-058

http://www.microsoft.com/technet/security/bulletin/MS99-058.asp

</li> Microsoft Security Bulletin MS99-053

http://www.microsoft.com/technet/security/bulletin/MS99-053.asp

</li> Microsoft Security Bulletin MS99-039

http://www.microsoft.com/technet/security/bulletin/MS99-039.asp

</li> Microsoft Security Bulletin MS99-029

http://www.microsoft.com/technet/security/bulletin/MS99-029.asp

</li> Microsoft Security Bulletin MS99-022

http://www.microsoft.com/technet/security/bulletin/MS99-022.asp

</li> Microsoft Security Bulletin MS99-019

http://www.microsoft.com/technet/security/bulletin/MS99-019.asp

</li> Microsoft Security Bulletin MS99-003

http://www.microsoft.com/technet/security/bulletin/MS99-003.asp

</li></ul>

The IIS 5.0 patch supersedes those that are provided in the following security bulletins: <ul> <li>Microsoft Security Bulletin MS01-023

http://www.microsoft.com/technet/security/bulletin/MS01-023.mspx

</li> <li>Microsoft Security Bulletin MS01-016

http://www.microsoft.com/technet/security/bulletin/MS01-016.mspx

</li> <li>Microsoft Security Bulletin MS01-014

http://www.microsoft.com/technet/security/bulletin/MS01-014.mspx

</li> <li>Microsoft Security Bulletin MS01-004

http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx

</li> <li>Microsoft Security Bulletin MS00-100

http://www.microsoft.com/technet/security/bulletin/MS00-100.mspx

</li> <li>Microsoft Security Bulletin MS00-086

http://www.microsoft.com/technet/security/bulletin/MS00-086.mspx

</li> <li>Microsoft Security Bulletin MS00-080

http://www.microsoft.com/technet/security/bulletin/MS00-080.mspx

</li> <li>Microsoft Security Bulletin MS00-078

http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx

</li> <li>Microsoft Security Bulletin MS00-060

http://www.microsoft.com/technet/security/bulletin/MS00-060.mspx

</li> <li>Microsoft Security Bulletin MS00-058

http://www.microsoft.com/technet/security/bulletin/MS00-058.mspx

</li> <li>Microsoft Security Bulletin MS00-057

http://www.microsoft.com/technet/security/bulletin/MS00-057.mspx

</li> <li>Microsoft Security Bulletin MS00-044

http://www.microsoft.com/technet/security/bulletin/MS00-044.mspx

</li> <li>Microsoft Security Bulletin MS00-031

http://www.microsoft.com/technet/security/bulletin/MS00-031.mspx

</li> <li>Microsoft Security Bulletin MS00-030

http://www.microsoft.com/technet/security/bulletin/MS00-030.mspx

</li> <li>Microsoft Security Bulletin MS00-023

http://www.microsoft.com/technet/security/bulletin/MS00-023.asp

</li> <li>Microsoft Security Bulletin MS00-019

http://www.microsoft.com/technet/security/bulletin/MS00-019.asp

</li></ul>

Verifying patch installation
IIS 4.0:

To verify that the patch has been installed on the computer, confirm that the following registry key has been created on the computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q295534

To verify the individual files, consult the file manifest in the following Knowledge Base article:

295534 MS01-026: Superfluous decoding operation can allow command execution through IIS

IIS 5.0:

To verify that the patch has been installed on the computer, confirm that the following registry key has been created on the computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q293826

To verify the individual files, use the date/time and version information that is provided in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q293826\Filelist

Caveats
The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in the patch, because they require administrative action rather than a software change. Administrators should ensure that in addition to applying this patch, they have also taken the administrative action that is discussed in the following bulletins: <ul> <li>Microsoft Security Bulletin MS00-028

http://www.microsoft.com/technet/security/bulletin/ms00-028.mspx

</li> <li>Microsoft Security Bulletin MS00-025

http://www.microsoft.com/technet/security/bulletin/ms00-025.mspx

</li> <li>Microsoft Security Bulletin MS99-025 (this bulletin discusses the same issue as Microsoft Security Bulletin MS98-004)

MS99-025

http://www.microsoft.com/technet/security/bulletin/ms99-025.mspx

MS98-004

http://www.microsoft.com/technet/security/bulletin/ms98-004.mspx

</li> <li>Microsoft Security Bulletin MS99-013

http://www.microsoft.com/technet/security/bulletin/ms99-013.mspx

</li></ul>

The patch does not include fixes for vulnerabilities that involve non-IIS products such as Front Page Server Extensions and Index Server, even though these products are closely associated with IIS and are typically installed on IIS servers. At this writing, the bulletins that discuss these vulnerabilities are the following: <ul> <li>Microsoft Security Bulletin MS01-025

http://www.microsoft.com/technet/security/bulletin/ms01-025.mspx

</li> <li>Microsoft Security Bulletin MS00-084

http://www.microsoft.com/technet/security/bulletin/ms00-084.mspx

</li> <li>Microsoft Security Bulletin MS00-006

http://www.microsoft.com/technet/security/bulletin/ms00-006.mspx

</li></ul>

Customers who have disabled WebDAV on IIS 5.0 servers should ensure that they reenable it prior to installing the patch, in order to ensure that an update version of Httpext.dll is installed. For more information, see the following Knowledge Base article:

241520 How to disable WebDAV for IIS 5.0

Customers using IIS 4.0 should ensure that they have followed the correct installation order before installing this or any security patch. For more information, see the following Microsoft Web site:

http://www.microsoft.com/NTServer/nts/deployment/planguide/Install.asp

The patch prevents FTP logons using UPN notation (that is, userid@domain).

Localization
Localized versions of this patch are available from the download locations that are listed in the &quot;Patch Availability&quot; section.

Obtaining other security patches
Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for &quot;security_patch&quot;.

http://www.microsoft.com/downloads/Search.aspx

Patches for consumer platforms are available from the Windows Update Web site:

Windows Update

http://windowsupdate.microsoft.com/

All patches that are available through Windows Update are also available in a redistributable form from the Windows Update corporate site:

WindowsUpdate Corporate

http://corporate.windowsupdate.microsoft.com/

Keywords: kbhowto KB299872

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.