Microsoft KB Archive/275657: Difference between revisions
(importing KB archive) |
m (Text replacement - "[[File:../gfx/" to "[[File:") |
||
Line 80: | Line 80: | ||
<div class="indent"> | <div class="indent"> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/en-us/q275657_w2k_sp2_x86_en.exe English Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/cs/q275657_w2k_sp2_x86_cs.exe Czech Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/nl/q275657_w2k_sp2_x86_nl.exe Dutch Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/fr/q275657_w2k_sp2_x86_fr.exe French Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/hu/q275657_w2k_sp2_x86_hu.exe Hungarian Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/it/q275657_w2k_sp2_x86_it.exe Italian Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/pl/q275657_w2k_sp2_x86_pl.exe Polish Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/pt-br/q275657_w2k_sp2_x86_br.exe Portuguese (Brazilian) Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/pt/q275657_w2k_sp2_x86_pt.exe Portuguese Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/ru/q275657_w2k_sp2_x86_ru.exe Russian Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/es/q275657_w2k_sp2_x86_es.exe Spanish Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/sv/q275657_w2k_sp2_x86_sv.exe Swedish Language Version]<br /> | ||
<br /> | <br /> | ||
[[File: | [[File:download.gif|[GRAPHIC: Download]]] [http://download.microsoft.com/download/win2000platform/patch/q275657/nt5/tr/q275657_w2k_sp2_x86_tr.exe Turkish Language Version]<br /> | ||
<br /> | <br /> | ||
Latest revision as of 23:14, 19 July 2020
Article ID: 275657
Article Last Modified on 11/21/2006
APPLIES TO
- Microsoft Internet Information Services 5.0
This article was previously published under Q275657
SYMPTOMS
Microsoft has identified a vulnerability that may enable a malicious user to cause code to run on the computer of another user through a third-party Web site. Such code can take any action on the user's computer that the third-party Web site was permitted to take. In addition, the code can be made persistent, so that if the user returns to the Web site again, the code begins to run again.
This vulnerability can only be exploited if the user clicks on a hypertext link, either in HTML e-mail or on a malicious user's Web site; the code cannot be injected into an existing session.
CAUSE
Certain Web services provided by Internet Information Services 5.0 do not properly validate all inputs before they use them, and are therefore vulnerable to Cross-Site Scripting (CSS).
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
On November 2, 2000, Microsoft released an updated patch to correct a new variant of this vulnerability. See the following for information on how to obtain the latest patch.
The following files are available for download from the Microsoft Download Center:
English Language Version
Czech Language Version
Dutch Language Version
French Language Version
Hungarian Language Version
Italian Language Version
Polish Language Version
Portuguese (Brazilian) Language Version
Portuguese Language Version
Russian Language Version
Spanish Language Version
Swedish Language Version
Turkish Language Version
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:
Date Time Version Size File name -------------------------------------------------------- 08/26/2000 06:30p 6,512 Fixerr.js 08/27/2000 11:41p 5.0.2195.2104 57,104 Httpodbc.dll 09/21/2000 05:23p 5.0.2195.2287 122,640 Iisrtl.dll 09/28/2000 05:54p 5.0.2195.2363 46,352 Ism.dll 08/27/2000 11:41p 5.0.2195.2104 41,744 Ssinc.dll
For additional information about resolving this problem in Internet Information Server (IIS) 4.0, click the article number below to view the article in the Microsoft Knowledge Base:
260347 IIS 4: Fix for Cross-Site Scripting Issues
STATUS
Microsoft has confirmed that this is a problem in Internet Information Services 5.0. This problem was first corrected in Microsoft Windows 2000 Service Pack 3 (SP3) and Microsoft Windows XP Service Pack 1 (SP1).
MORE INFORMATION
For more information on this security vulnerability, please see the following Microsoft web site:
CSS is a recently discovered security vulnerability that can potentially enable a malicious user to inject code into a user's session with a Web site. Unlike most security vulnerabilities, CSS does not apply to any single vendor's products, but instead, it can affect any software that runs on a Web server and does not follow defensive programming practices. In early 2000, Microsoft and CERT worked together to inform the software industry of the issue and lead an industry-wide response to it.
Microsoft published extensive information about CSS, including information for developers about how to check their code for potential vulnerabilities. Microsoft has identified several places in IIS where proper checking was not performed; some of these have been found by our internal security teams, and others were identified by customers.
Additional query words: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
Keywords: kbbug kbfix kbgraphxlinkcritical kbwin2000presp2fix kbqfe kbwinxpsp1fix kbhotfixserver KB275657