Microsoft KB Archive/811114

= MS03-018: May 2003 cumulative patch for Internet Information Services (IIS) =

Article ID: 811114

Article Last Modified on 11/7/2007

-

APPLIES TO


 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-





SYMPTOMS
Microsoft has released a cumulative patch for Internet Information Server (IIS) 4.0, Internet Information Services (IIS) 5.0, and IIS 5.1. This patch includes the functionality of all security patches that have been released for IIS 4.0 since Windows NT 4.0 Service Pack 6a (SP6a), all security patches that have been released for IIS 5.0 since Windows 2000 Service Pack 2 (SP2), and all security patches that have been released for IIS 5.1. Additionally, this patch includes fixes for the following newly discovered security vulnerabilities that affect IIS 4.0, 5.0, and 5.1:
 * A cross-site scripting (CSS) vulnerability that affects IIS 4.0, 5.0, and 5.1. This vulnerability involves the error message that is returned to advise that a requested URL has been redirected. An attacker who lures a user to click a link on the attacker's Web site could relay a request that contains a script to a third-party Web site running IIS. This request could cause the third-party site's response (still including the script) to be sent to the user. The script could then run by using the security settings of the third-party site instead of the security settings of the attacker's site.
 * A buffer overrun that results because IIS 5.0 does not correctly validate requests for specific types of Web pages that are known as server-side includes. An attacker would have to be able to upload a server-side include page to a vulnerable IIS server. If the attacker then requests this page, a buffer overrun might occur. This buffer overrun would permit the attacker to run the code of his or her choice on the server with user-level permissions.
 * A denial of service vulnerability that results because of a flaw in the way that IIS 4.0 and 5.0 allocate memory requests when they construct headers to be returned to a Web client. An attacker would have to be able to upload an ASP page to a vulnerable IIS server. When the attacker calls to this ASP page, the page tries to return a very large header to the calling Web client. Because IIS does not limit the memory that can be used in this case, this might cause IIS to run out of memory and fail.
 * A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly handle an error condition when a WebDAV request that is too long is passed to them. An attacker could use this problem to cause IIS to fail. However, by default, both IIS 5.0 and 5.1 restart immediately after this failure.

Mitigating factors for Redirection Cross-Site Scripting:
 * IIS 6.0 is not affected.
 * The vulnerability can only be exploited if the attacker can lure another user to visit a Web page and then click a link on the Web page, or lure the user to open an HTML mail.
 * The destination page must be an ASP page that uses Response.Redirect to redirect the client to a new URL that is based on the incoming URL of the current request.

Mitigating factors for Server Side Include Web Pages Buffer Overrun:
 * IIS 4.0, IIS 5.1, and IIS 6.0 are not affected.
 * By default, the IIS Lockdown tool disables the Ssinc.dll mapping (http://www.microsoft.com/technet/security/tools/locktool.mspx). This setting blocks this type of attack.
 * By default, IIS 5.0 runs under a user account and not under the system account. Therefore, an attacker who successfully exploited this vulnerability would gain only user level permissions instead of administrative level permissions.
 * An attacker must be able to upload files to the IIS Server.

Mitigating factors for Headers Denial of Service:
 * IIS 5.1 is not affected.
 * An attacker must be able to upload files to the IIS server.
 * IIS 5.0 automatically restarts after this failure.

Mitigating factors for WebDAV Denial of Service:
 * IIS 6.0 is not affected.
 * IIS 5.0 and 5.1 restart automatically after this failure.
 * By default, the IIS Lockdown tool disables WebDAV (http://www.microsoft.com/technet/security/tools/locktool.mspx). This setting blocks this type of attack.



Hotfix information
Caution If you have an application that is running under IIS and the application extends the IIS metabase schema, installing the security rollup fix may remove these extensions and your application may not function correctly. To determine if a third-party application extends the metabase schema, contact the third-party vendor.

Some ProClarity products are known to be affected by this security rollup fix, including the following products:
 * ProClarity Enterprise Server 4.0 and later
 * ProClarity Analytics Server 5.0, 5.1, and 5.2

To resolve the issue BEFORE you install the security rollup, use one of the following options:  Create a backup of the metabase, install the security rollup fix, and then restore the metabase afterward. (Note that Microsoft does not recommend this because of possible compatibility issues.)

For more information about how to create a metabase backup, click the following article number to view the article in the Microsoft Knowledge Base:

302573 How to back up and restore IIS

 Install Microsoft Windows 2000 Service Pack 4 (SP4). Windows 2000 SP4 includes the security rollup. Contact Microsoft Product Support Services to receive a hotfix that corrects this problem.

If you have already installed the security rollup fix, and you have a problem with your application that extends the IIS metabase schema, the application must re-extend the metabase schema. This may require reinstalling the product.

Service pack information
To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Security patch information
For more information about how to resolve this vulnerability, click the following section names to view the sections of this article:
 * Internet Information Services 5.1
 * Internet Information Services 5.0
 * Internet Information Server 4.0

Internet Information Services 5.1
Download information

The following files are available for download from the Microsoft Download Center:

Windows XP Professional (all languages)

Download the 811114 package now.

Windows XP 64-bit Edition (all languages)

Download the 811114 package now.

Release Date: May 28, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

This patch requires that you have already installed the 329115 patch. If 329115 is not present, client-side certificates will be rejected. You can restore this functionality by installing the 329115 patch. For more information about the 329115 patch, click the following article number to view the article in the Microsoft Knowledge Base:

329115 MS02-050: Certificate validation flaw might permit identity spoofing

This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Installation information

This patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

To verify that the patch is installed on your computer, confirm that the following registry key exists:

Deployment information

To install the patch without any user intervention, use the following command line:

q811114_wxp_sp2_x86_enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

q811114_wxp_sp2_x86_enu /z

Note You can combine these switches in one command line.

For information about how to deploy this patch by using Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement

You do not have to restart your computer after you apply this patch. If a dialog box appears that states that you must restart your computer after you apply this patch, you can safely ignore it.

Removal information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ811114$\Spuninst folder, and it supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Patch replacement information

This patch replaces the patches that are discussed in the following Microsoft Knowledge Base articles:

327696 MS02-062: October 2002 cumulative patch for Internet Information Services

321599 MS02-028: Heap overrun in HTR-chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version        Size       File name     Platform 21-Mar-2003 22:14  5.1.2600.1181    340,992  Asp51.dll     i386 08-Aug-2002 12:31                     2,411  Default.asp   i386 21-Mar-2003 22:14  5.1.2600.1173    117,248  Ftpsv251.dll  i386 21-Mar-2003 22:14  6.0.2600.1189    240,640  Httpext.dll   i386 21-Mar-2003 22:14  5.1.2600.1172     55,296  Httpod51.dll  i386 21-Mar-2003 22:14  5.1.2600.1152    129,536  Iische51.dll  i386 21-Mar-2003 22:14  6.0.2600.1167    242,176  Infocomm.dll  i386 21-Mar-2003 22:14  6.0.2600.1182     65,024  Isatq.dll     i386 21-Mar-2003 22:14  6.0.2600.1167     10,752  Lonsint.dll   i386 08-Aug-2002 12:31                    19,224  Query.asp     i386 08-Aug-2002 12:31                     6,527  Search.asp    i386 17-Dec-2002 23:03  5.1.2600.1152     11,264  Spiisupd.exe  i386 21-Mar-2003 22:14  5.1.2600.1152     40,448  Ssinc51.dll   i386 21-Mar-2003 22:14  5.1.2600.1166    340,992  W3svc.dll     i386

21-Mar-2003 22:14  5.1.2600.1181  1,057,792  Asp51.dll     IA64 08-Aug-2002 12:32                     2,411  Default.asp 21-Mar-2003 22:14  5.1.2600.1173    289,792  Ftpsv251.dll  IA64 21-Mar-2003 22:14  6.0.2600.1189    934,400  Httpext.dll   IA64 21-Mar-2003 22:14  5.1.2600.1172    144,384  Httpod51.dll  IA64 21-Mar-2003 22:14  5.1.2600.1152    155,136  Iische51.dll  IA64 21-Mar-2003 22:14  6.0.2600.1167    669,696  Infocomm.dll  IA64 21-Mar-2003 22:14  6.0.2600.1182    186,368  Isatq.dll     IA64 21-Mar-2003 22:14  6.0.2600.1167     29,696  Lonsint.dll   IA64 08-Aug-2002 12:32                    19,224  Query.asp 08-Aug-2002 12:32                     6,527  Search.asp 18-Dec-2002 00:05  5.1.2600.1152     24,064  Spiisupd.exe  IA64 21-Mar-2003 22:14  5.1.2600.1152     96,768  Ssinc51.dll   IA64 21-Mar-2003 22:14  5.1.2600.1166    921,088  W3svc.dll     IA64 The following files are included to support the installation of the patch:   Date         Time   Version   Size     File name     Platform -  27-Feb-2002  19:58              4,092  Eula.txt      i386 24-Mar-2003 17:38             11,508  Q811114.cat   i386 21-Mar-2003 19:56  5.3.16.5   18,944  Spcustom.dll  i386 21-Mar-2003 19:54  5.3.16.5    6,656  Spmsg.dll     i386 21-Mar-2003 19:56  5.3.16.5   89,088  Spuninst.exe  i386 21-Mar-2003 19:54  5.3.16.5  411,136  Update.exe    i386 21-Mar-2003 22:14              5,219  Update.inf    i386 21-Mar-2003 22:14                936  Update.ver    i386

11-Sep-2002 14:04              4,092  Eula.txt      IA64 24-Mar-2003 17:38             11,508  Q811114.cat   IA64 21-Mar-2003 19:55  5.3.16.5   52,736  Spcustom.dll  IA64 21-Mar-2003 19:55  5.3.16.5    6,144  Spmsg.dll     IA64 21-Mar-2003 19:55  5.3.16.5  214,528  Spuninst.exe  IA64 21-Mar-2003 19:55  5.3.16.5  859,648  Update.exe    IA64 21-Mar-2003 22:14              5,255  Update.inf    IA64 21-Mar-2003 22:14                939  Update.ver    IA64 You can also verify the files that this patch is installed by reviewing the following registry key:

back to the section list

Internet Information Services 5.0
Download information

The following file is available for download from the Microsoft Download Center:

All languages

Download the 811114 package now.

Release Date: May 28, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

This patch requires that you have already installed the 329115 patch. If 329115 is not present, client-side certificates will be rejected. You can restore this functionality by installing the 329115 patch. For more information about the 329115 patch, click the following article number to view the article in the Microsoft Knowledge Base:

329115 MS02-050: Certificate validation flaw might permit identity spoofing

This patch requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation information

This patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

To verify that the patch is installed on your computer, confirm that the following registry key exists:

Deployment information

To install the patch without any user intervention, use the following command line:

q811114_w2k_sp4_x86_en /u /q

To install the patch without forcing the computer to restart, use the following command line:

q811114_w2k_sp4_x86_en /z

Note You can combine these switches in one command line.

For information about how to deploy this patch by using Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement

You do not have to restart your computer after you apply this hotfix. The installer stops the correct services, applies the patch, and then restarts the services. However, if the installer cannot stop the services for any reason, you must restart your computer after Setup completes. If this behavior occurs, a message appears that prompts you to restart the computer.

Removal information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ811114$\Spuninst folder. This utility supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Patch replacement information

This patch replaces the patches that are discussed in the following Microsoft Knowledge Base articles:

327696 MS02-062: October 2002 cumulative patch for Internet Information Services

321599 MS02-028: Heap overrun in HTR-chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version        Size     File name 26-Feb-2003 13:07  5.0.2195.6628  246,544  Adsiis.dll 26-Feb-2003 13:07  5.0.2195.6672  337,168  Asp.dll 22-Mar-2002 16:15                   2,413  Default.asp 26-Feb-2003 13:07  5.0.2195.6628  118,032  Ftpsvc2.dll 21-Mar-2003 22:16  5.0.2195.6692  246,544  Httpext.dll 26-Feb-2003 13:07  5.0.2195.6667   57,104  Httpodbc.dll 26-Feb-2003 13:07  5.0.2195.6664  122,128  Idq.dll 26-Feb-2003 13:07  5.0.2195.6628  121,104  Iischema.dll 26-Feb-2003 13:07  5.0.2195.6628   56,592  Iisext.dll 26-Feb-2003 13:07  5.0.2195.6666   78,608  Iislog.dll 20-Mar-2002 09:59                      30  Iisperf.txt 26-Feb-2003 13:07  5.0.2195.6620  122,640  Iisrtl.dll 26-Feb-2003 13:07  5.0.2195.6666  248,592  Infocomm.dll 26-Feb-2003 13:07  5.0.2195.6666   62,736  Isatq.dll 26-Feb-2003 13:07  5.0.2195.6620   46,352  Ism.dll 26-Feb-2003 13:07  5.0.2195.6666   12,048  Lonsint.dll 26-Feb-2003 13:07  5.0.2195.6620   26,896  Mdsync.dll 24-Sep-2002 13:39  5.0.2195.6607    6,928  Perfvd.exe 22-Mar-2002 16:15                  19,178  Query.asp 22-Mar-2002 16:15                   5,571  Search.asp 17-Oct-2002 17:00  5.0.2195.6611   13,072  Spiisupd.exe 26-Feb-2003 13:07  5.0.2195.6624   41,232  Ssinc.dll 26-Feb-2003 13:07  5.0.2195.6672  349,968  W3svc.dll 26-Feb-2003 13:07  5.0.2195.6620   72,464  Wam.dll The following files are included to support the installation of the patch:   Date         Time   Version   Size     File name ---  15-Nov-2001  19:27              5,149  Empty.cat 01-Apr-2002 21:46              4,092  Eula.txt 21-Mar-2003 23:18             14,231  Q811114.cat 14-Mar-2003 15:51  5.3.16.5   18,944  Spcustom.dll 14-Mar-2003 15:48  5.3.16.5    6,656  Spmsg.dll 14-Mar-2003 15:51  5.3.16.5   89,088  Spuninst.exe 14-Mar-2003 15:48  5.3.16.5  411,136  Update.exe 21-Mar-2003 20:49             37,977  Update.inf 21-Mar-2003 23:10              1,586  Update.ver You can also verify the files that this patch installed by reviewing the following registry key:

back to the section list

Internet Information Server 4.0
Download information

The following file is available for download from the Microsoft Download Center:

All languages

Download the 811114 package now.

Release Date: May 28, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

Microsoft Internet Information Server (IIS) is not intended for use on Windows NT Server 4.0, Terminal Server Edition, and is not supported. Microsoft recommends that customers who run IIS 4.0 on Windows NT Server 4.0, Terminal Server Edition, protect their systems by removing IIS 4.0.

This patch requires that you have already installed the 329115 patch. If 329115 is not present, client-side certificates will be rejected. You can restore this functionality by installing the 329115 patch. For more information about the 329115 patch, click the following article number to view the article in the Microsoft Knowledge Base:

329115 MS02-050: Certificate validation flaw might permit identity spoofing

This patch requires Windows NT 4.0 Service Pack 6a (SP6a). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the Latest Windows NT 4.0 service pack

Installation information

This patch supports the following Setup switches:
 * /y : Perform removal (only with /m or /q ).
 * /f : Force programs to be closed at shutdown.
 * /n : Do not create an Uninstall folder.
 * /z : Do not restart when update completes.
 * /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
 * /m : Use Unattended mode with user interface.
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

To verify that the patch is installed on your computer, confirm that the following registry key exists:

Deployment information

To install the patch without any user intervention, use the following command line:

q811114i.exe /q

To install the patch without forcing the computer to restart, use the following command line:

q811114i.exe /z

Note You can combine these switches in one command line.

For information about how to deploy this patch by using Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart Requirement

To install this patch without restarting your computer, follow these steps:
 * 1) Stop all IIS services.
 * 2) Install the patch that contains the hotfix by using the /z switch.
 * 3) Restart the IIS services.

Removal information

System administrators can use the Hotfix.exe utility to remove this patch. Hotfix.exe is in the %Windir%\$NTUninstallQ811114$ folder, and it supports the following Setup switches:
 * /y : Perform removal (only with /m or /q ).
 * /f : Force programs to be closed at shutdown.
 * /n : Do not create an Uninstall folder.
 * /z : Do not restart when update completes.
 * /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
 * /m : Use Unattended mode with user interface.
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

Patch replacement information

This patch replaces the patches that are discussed in the following Microsoft Knowledge Base articles:

327696 MS02-062: October 2002 cumulative patch for Internet Information Services

321599 MS02-028: Heap overrun in HTR-chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version     Size     File name -  07-Mar-2003  19:58  4.2.785.1   214,544  Adsiis.dll 07-Mar-2003 19:58  4.2.785.1   332,224  Asp.dll 02-Apr-2001 20:55  4.0.2.4701  593,976  Fp4autl.dll 07-Mar-2003 19:58  4.2.785.1    81,888  Ftpsvc2.dll 07-Mar-2003 19:57  4.2.785.1    55,936  Httpodbc.dll 13-Jul-2001 20:14  5.0.1782.4  193,296  Idq.dll 07-Mar-2003 19:58  4.2.785.1    99,424  Iischema.dll 07-Mar-2003 19:56  4.2.785.1    63,984  Iislog.dll 07-Mar-2003 19:57  4.2.785.1   187,344  Infocomm.dll 07-Mar-2003 19:56  4.2.785.1    47,936  Isatq.dll 07-Mar-2003 19:56  4.2.785.1    29,520  Iscomlog.dll 07-Mar-2003 20:00  4.2.785.1    54,560  Ism.dll 07-Mar-2003 19:59  4.2.785.1    31,872  Mdsync.dll 07-Mar-2003 20:01  4.2.785.1     9,680  Schmupd.exe 07-Mar-2003 19:58  4.2.785.1    38,256  Ssinc.dll 07-Mar-2003 19:58  4.2.785.1    25,360  Sspifilt.dll 07-Mar-2003 19:57  4.2.785.1   231,616  W3svc.dll 07-Mar-2003 19:57  4.2.785.1    88,032  Wam.dll The following files are included to support the installation of the patch. <pre class="fixed_text">  Date         Time   Version        Size    File name -  19-Sep-2002  17:29  4.0.1381.7163  95,504  Hotfix.exe 12-May-2003 21:27                 11,327  Hotfix.inf back to the section list

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies To&quot; section. This problem was first corrected in Windows XP Service Pack 2.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-018.mspx

Customers who use Site Server must be aware that a previously documented issue that involves intermittent authentication errors affects this patch and a small number of other patches. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

317815 Site Server logon problems occur after you apply certain Windows 2000 hotfixes

These patches do not include fixes for vulnerabilities that involve non-IIS products, such as the Microsoft FrontPage Server Extensions and Microsoft Index Server, although these products are closely associated with IIS and are typically installed on IIS servers. However, there is one exception. The fix for the vulnerability that affects Index Server is included in this patch because of the seriousness of the issue for IIS servers. (This vulnerability is discussed in Microsoft Security Bulletin MS01-033.) At the time that this article was written, the Microsoft Security Bulletins that discuss these vulnerabilities are as follows:

Microsoft Security Bulletin MS02-053

Microsoft Security Bulletin MS02-050

Microsoft Security Bulletin MS01-043

Microsoft Security Bulletin MS01-025

Microsoft Security Bulletin MS00-084

Microsoft Security Bulletin MS00-018

Microsoft Security Bulletin MS00-006

The fixes for the following vulnerabilities that affect IIS 4.0 are not included in the patch because they require administrative action instead of a software change. Administrators must make sure that they not only apply this patch, but also take the administrative action that is described in the following bulletins:

Microsoft Security Bulletin MS00-028

Microsoft Security Bulletin MS00-025

Microsoft Security Bulletin MS99-025 (this bulletin discusses the same issue as Microsoft Security Bulletin MS98-004)

Microsoft Security Bulletin MS99-013

Additional query words: security_patch rollup css DoS

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbwinnt400presp7fix kbwinxppresp2fix kbwin2000presp4fix kbsecvulnerability kbsecurity kbsecbulletin kbqfe kbfix kbbug KB811114

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.