Microsoft Security Bulletin MS00-006 - Important
Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability
Published: January 26, 2000 | Updated: March 31, 2000
Originally Posted: January 26, 2000
Revised: March 31, 2000
On January 26, 2000 Microsoft released the original version of this bulletin to announce the availability of a patch that eliminates two security vulnerabilities in Microsoft® Index Server. The first vulnerability could allow a malicious user to view -- but not to change, add or delete -- files on a web server. The second vulnerability could reveal where web directories are physically located on the server.
On February 04, 2000, a new variant of the second vulnerability was discovered, which was already eliminated by the patch. Microsoft updated this bulletin in order to advise customers of it, but customers who already applied the patch did not need to take any action.
On February 11, 2000, Microsoft re-released the Windows 2000 version of this patch to take advantage of improvements in the Hotfix packaging tool. These improvements enable the hotfix tool to detect the default language of the system, and also give users better inventory control based on the Knowledge Base article and Service Pack. Although the patch itself was not changed by this re-release, Microsoft nevertheless recommended that Windows 2000 customers apply the new version in order to ensure that the new tool was present on their systems.
On March 31, 2000, Microsoft re-released the Windows NT 4.0 version of this patch, to address a recently-discovered variant of the vulnerability. Only the Windows NT 4.0 patch was affected by the new variant.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-006.mspx
This patch eliminates two vulnerabilities whose only relationship is that both occur in Index Server. The first is the "Malformed Hit-Highlighting Argument" vulnerability. The ISAPI filter that implements the hit-highlighting (also known as "WebHits") functionality does not adequately constrain what files can be requested. By providing a deliberately-malformed argument in a request to hit-highlight a document, it is possible to escape the virtual directory. This would allow any file residing on the server itself, and on the same logical drive as the web root directory, to be retrieved regardless of permissions. A new variant of this vulnerability was announced on March 31, 2000. This variant could allow the source of server-side files such as .ASP files to be read. The new variant affects only Index Server 2.0, and Windows 2000 customers who applied the original patch were never at risk from it.
The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query file. The error message provides the physical path to the web directory that was contained in the request. Although this vulnerability would not allow a malicious user to alter or view any data, it could be a valuable reconnaissance tool for mapping the file structure of a web server. A new variant of this vulnerability was announced on February 04, 2000. This variant could allow a malicious user to read files. The variant was eliminated by the original patch, and customers who applied the original version of the patch were never at risk from it.
Indexing Services in Windows 2000 is affected only by the "Malformed Hit-Highlighting" vulnerability - it is not affected by the second vulnerability. Also, it is important to note that, although Indexing Services in Windows 2000 is installed by default, it is not started unless the administrator has explicitly turned it on.
Affected Software Versions
- Microsoft Index Server 2.0
- Indexing Service in Windows 2000
- Malformed Hit-Highlighting Argument Vulnerability: CVE-2000-0097
- Internet Data Query Vulnerability: CVE-2000-0098
- Malformed Hit-Highlighting Argument Variant Vulnerability: CVE-2000-0302
- Index Server 2.0:
- Indexing Services for Windows 2000:
NOTE: The Download Center page incorrectly gives 26 January 2000 as the date of the patch. We are working to correct this error, but have verified that the patch that is on the Download Center is the most recent version.
NOTE: Additional security patches are available at the Microsoft Download Center
Please see the following references for more information related to this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-006, http://www.microsoft.com/technet/security/bulletin/fq00-006.mspx.
- Microsoft Knowledge Base (KB) article 251170, Malformed Argument in Hit-Highlighting Request Allows Access to Web Server Files, http://support.microsoft.com/default.aspx?scid=kb;en-us;251170.
- Microsoft Knowledge Base (KB) article 252463, Index Server Error Message Reveals Physical Location of Web Directories, http://support.microsoft.com/default.aspx?scid=kb;en-us;252463.
- Microsoft TechNet Security web site.
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
Microsoft thanks David Litchfield of Cerberus Information Security, Ltd for reporting the "Malformed Hit-Highlighting Argument" vulnerability to us and working with us to protect customers.
- January 26, 2000: Bulletin Created.
- February 04, 2000: Bulletin revised to provide additional detail about Indexing Services, and to discuss an additional variant of the "Malformed Hit-Highlighting Argument" vulnerability that is eliminated by the original patch.
- February 11, 2000: Bulletin revised to reflect availability of patch for Windows 2000 with new version of Hotfix.exe
- March 31, 2000: Bulletin revised to discuss new variant of "Malformed Hit Highlighting Argument" vulnerability affecting Windows NT 4.0.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00