Article ID: 319733
Article Last Modified on 5/30/2007
APPLIES TO
- Microsoft Internet Information Services 5.1
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Server 4.0
This article was previously published under Q319733
SUMMARY
Microsoft has released a cumulative patch for Internet Information Server (IIS) 4.0, Internet Information Services (IIS) 5.0, and IIS 5.1 that includes updates for the issues that are described in the following Microsoft Knowledge Base articles:
297860 MS01-044: IIS 5.0 Security and Post-Windows NT 4.0 SP5 IIS 4.0 Patch Rollup
307934 Locking down WebDAV through ACL still allows PUT and DELETE requests
313489 You can place content headers in the body of a response if an ISAPI filter is installed
314339 MS02-018: Patch Available for Access Violation in URL Error Handling Vulnerability
316864 Problems with Adobe Acrobat 5.0 after you install URLScan
317035 MS02-018: Patch Available for Cross-Site Scripting in Redirect Response Message Vulnerability
317196 MS02-018: Patch Available for Denial of Service Through FTP Status Request Vulnerability
317895 MS02-018: Patch Available for Cross-Site Scripting in IIS Help File Search Facility Vulnerability
318091 MS02-018: Patch Available for Buffer Overrun in HTR ISAPI Extension Vulnerability
319688 MS02-018: Patch Available for Chunked Encoding Transfer Mechanism Vulnerability
320374 MS02-018: Patch Available for Cross-site Scripting in Custom 404 Error Page Vulnerability
321123 MS02-018: Patch Available for Buffer Overrun in ASP Server-Side Include Function Vulnerability
321130 MS02-018: Patch Available for Buffer Overrun in HTTP Header Handling Vulnerability
NOTE: These patches do not include fixes for vulnerabilities involving non-IIS products, such as the Front Page Server Extensions and Index Server, even though these products are closely associated with IIS and are typically installed on IIS servers. There is, however, one exception. The fix for the vulnerability that affects Index Server, which is discussed in Microsoft Security Bulletin MS01-033, is included in this patch because of the seriousness of the issue for IIS servers. At the time that this article was written, the Microsoft Security Bulletins that discuss these vulnerabilities are as follows:
Microsoft Security Bulletin MS01-043
Microsoft Security Bulletin MS01-025
Microsoft Security Bulletin MS00-084
Microsoft Security Bulletin MS00-018
Microsoft Security Bulletin MS00-006
All of the previously listed fixes and cumulative patches are included in Windows 2000 Service Pack 3. For more information about the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
NOTE: The fixes for the following vulnerabilities that affect IIS 4.0 are not included in the patch because they require administrative action instead of a software change. Administrators should make sure that in addition to applying this patch, they also take the administrative action that is described in the following bulletins:
Microsoft Security Bulletin MS00-028
Microsoft Security Bulletin MS00-025
Microsoft Security Bulletin MS99-025 (which discusses the same issue as Microsoft Security Bulletin MS98-004)
Microsoft Security Bulletin MS99-013
For more information about the latest service pack for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
For more information about the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
MORE INFORMATION
For more information about this patch, visit the following Microsoft Web site:
- Internet Information Services 5.1
- Internet Information Services 5.0
- Internet Information Server 4.0
- Windows NT Server 4.0, Terminal Edition
Internet Information Services 5.1
To resolve these problems, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
Before you apply the update that is described in the following section, back-up your metabase.
The following file is available for download from the Microsoft Download Center:
Download the Q319733 package now.
You do not have to restart your computer after you apply this update. The installer stops and restarts the IIS service automatically. If you are prompted to restart your computer, ignore the prompt.
The Q319733 package supports the following switches:
-x Extract the files for later installation -u Unattended mode -f Force other programs to close when the computer shuts down -n Do not back up files for uninstall -o Overwrite OEM files without prompting -z Do not restart when installation is complete -q Quiet mode (no user interaction) -l List installed hotfixes
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ------------------------------------------------------- 27-Mar-2002 18:53 5.1.2600.41 338,944 Asp51.dll 20-Mar-2002 14:59 2,411 Default.asp 27-Mar-2002 18:53 5.1.2600.41 117,248 Ftpsv251.dll 27-Mar-2002 18:54 6.0.2600.41 240,640 Httpext.dll 20-Mar-2002 14:59 19,224 Query.asp 20-Mar-2002 14:59 6,527 Search.asp 20-Mar-2002 20:12 5.1.2600.40 9,216 Spiisupd.exe 21-Mar-2002 17:43 5.2.1.0 3,584 Spmsg.dll 21-Mar-2002 17:46 5.2.1.0 41,472 Spuninst.exe 27-Mar-2002 18:53 5.1.2600.41 339,456 W3svc.dll
NOTE: Due to file dependencies, this update may contain additional files. back to the top
Internet Information Services 5.0
To resolve these problems, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Before you apply the update that is described in the following section, back-up your metabase. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
300672 How to create a metabase backup in IIS 5
The following files are available for download from the Microsoft Download Center:
English Language Version
Arabic Language Version
Chinese (Simplified) Language Version
Chinese (Traditional) Language Version
Czech Language Version
Danish Language Version
Dutch Language Version
Finnish Language Version
French Language Version
German Language Version
Greek Language Version
Hebrew Language Version
Hungarian Language Version
Italian Language Version
Japanese Language Version
Japanese NEC Language Version
Korean Language Version
Norwegian Language Version
Polish Language Version
Portuguese (Brazilian) Language Version
Portuguese Language Version
Russian Language Version
Spanish Language Version
Swedish Language Version
Turkish Language Version
Release Date: April 10, 2002
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
After you apply this update, space characters such as white space, tabs, carriage returns, and line feeds in the IIS log file are replaced with plus signs (+). If you have a log analyzer that parses the IIS log file, you may have to update it to accommodate this change. To work around this problem while you update your log analyzer, extract the patch with the "-x" switch and do not install the Iislog.dll file.
You do not have to restart your computer after you apply this update, because the installer stops and restarts the IIS service automatically.
The Q319733 package supports the following switches:
-x Extract the files for later installation -y Perform uninstall (only with /m or /q) -f Force apps closed at shutdown -n Do not create uninstall directory -z Do not reboot when update completes -q Quiet Mode -- no user interface -m Unattended mode -l List installed hotfixes
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ---------------------------------------------------------- 03-Apr-2002 22:17 5.0.2195.5255 245,520 Adsiis.dll 03-Apr-2002 22:17 5.0.2195.5255 333,072 Asp.dll 22-Mar-2002 20:15 2,413 Default.asp 08-Oct-2001 20:38 4.0.2.4701 593,976 Fp4autl.dll 03-Apr-2002 22:17 5.0.2195.3649 299,792 Fscfg.dll 03-Apr-2002 22:17 5.0.2195.5255 8,464 Ftpctrs2.dll 03-Apr-2002 22:17 5.0.2195.5255 6,416 Ftpmib.dll 03-Apr-2002 22:17 5.0.2195.5255 117,008 Ftpsvc2.dll 04-Apr-2002 03:37 5.0.2195.5255 246,032 Httpext.dll 03-Apr-2002 22:17 5.0.2195.5255 9,488 Httpmib.dll 03-Apr-2002 22:17 5.0.2195.5255 56,592 Httpodbc.dll 03-Apr-2002 22:17 5.0.2195.4966 121,104 Idq.dll 03-Apr-2002 22:17 5.0.2195.5283 78,608 Iislog.dll 03-Apr-2002 22:17 5.0.2195.5255 122,640 Iisrtl.dll 03-Apr-2002 22:17 5.0.2195.5255 13,584 Infoadmn.dll 03-Apr-2002 22:17 5.0.2195.5255 246,032 Infocomm.dll 03-Apr-2002 22:17 5.0.2195.5255 62,736 Isatq.dll 03-Apr-2002 22:17 5.0.2195.5247 46,352 Ism.dll 03-Apr-2002 22:17 5.0.2195.5255 26,896 Mdsync.dll 03-Apr-2002 22:17 5.0.2195.4661 76,560 Msw3prt.dll 23-Mar-2002 00:36 5.0.2195.5247 6,416 Perfvd.exe 22-Mar-2002 20:15 19,178 Query.asp 22-Mar-2002 20:15 5,571 Search.asp 21-Mar-2002 20:06 5.0.2195.5217 9,488 Spiisupd.exe 03-Apr-2002 22:17 5.0.2195.5255 41,232 Ssinc.dll 03-Apr-2002 22:17 5.0.2195.5255 7,440 W3ctrs.dll 03-Apr-2002 22:17 5.0.2195.5269 348,944 W3svc.dll
NOTE: Due to file dependencies, this update may contain additional files. This update requires Windows 2000 Service Pack 2 (SP2) or SP1. back to the top
Internet Information Server 4.0
Before you apply this update, backup your metabase. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
300675 How to create a metabase backup by using Internet Information Server 4.0 in Windows NT
The following file is available for download from the Microsoft Download Center:
Release Date: April 10, 2002
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. Perform the following steps to avoid the need to restart your computer:
NOTE: Although you can avoid the need to restart your computer after applying this patch, the computer will NOT be considered patched and protected until after a restart. Unlike in Windows 2000 (IIS 5), in Windows NT 4.0 (IIS 4) the older .dll files are not automatically updated. The steps to avoid a restart should only be taken if you want to apply more than one patch before you restart the computer, and should always be followed by a restart.
- Stop all IIS services.
- Install the patch with the hotfix with "/z" switch.
- Restart the IIS services.
The Q319733 package supports the following switches:
-x Extract the files for later installation -y Perform uninstall (only with /m or /q) -f Force apps closed at shutdown -n Do not create uninstall directory -z Do not reboot when update completes -q Quiet Mode -- no user interface -m Unattended mode -l List installed hotfixes
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ---------------------------------------------------- 26-Mar-2002 21:53 4.2.775.1 214,544 Adsiis.dll 26-Mar-2002 21:53 4.2.775.1 330,672 Asp.dll 02-Apr-2001 19:55 4.0.2.4701 593,976 Fp4autl.dll 26-Mar-2002 21:52 4.2.775.1 81,888 Ftpsvc2.dll 26-Mar-2002 21:52 4.2.775.1 55,392 Httpodbc.dll 13-Jul-2001 19:14 5.0.1782.4 193,296 Idq.dll 26-Mar-2002 21:53 4.2.775.1 98,912 Iischema.dll 26-Mar-2002 21:51 4.2.775.1 63,472 Iislog.dll 26-Mar-2002 21:51 4.2.775.1 185,792 Infocomm.dll 26-Mar-2002 21:51 4.2.775.1 29,520 Iscomlog.dll 26-Mar-2002 21:55 4.2.775.1 54,560 Ism.dll 26-Mar-2002 21:53 4.2.775.1 31,872 Mdsync.dll 26-Mar-2002 21:56 4.2.775.1 9,680 Schmupd.exe 26-Mar-2002 21:52 4.2.775.1 38,256 Ssinc.dll 26-Mar-2002 21:52 4.2.775.1 25,360 Sspifilt.dll 26-Mar-2002 21:52 4.2.775.1 230,592 W3svc.dll 26-Mar-2002 21:52 4.2.775.1 88,032 Wam.dll
NOTE: Due to file dependencies, this update may contain additional files. This update requires Windows NT 4.0 Service Pack 6a (SP6a). back to the top
Windows NT Server 4.0, Terminal Edition
Internet Information Server 4.0 is part of the Windows NT 4.0 Option Pack which is not supported on Windows NT Server 4.0, Terminal Server Edition. Patches for IIS 4.0 have been provided as part of the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP) only for customers who have installed the Option Pack to protect their computers during the migration to a supported operating system. For more information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:
317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package
Additional query words: security_patch kbtsesrp
Keywords: kbhotfixserver kbqfe kbinfo kbsecurity kbwin2000presp3fix kbwin2000sp3fix kbwinxpsp1fix KB319733