We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
MORE INFORMATION
Installation platforms
The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 5 or Windows NT 4.0 Service Pack 6a.
The IIS 5.0 patch can be installed on systems running Windows 2000 Gold, Windows 2000 Service Pack 1, and Windows 2000 Service Pack 2.
Inclusion in future service packs
The fix for this issue will be included in the upcoming security roll-up for Windows NT and in Windows 2000 Service Pack 3.
Superseded patches
The IIS 4.0 patch supersedes those that are provided in the following security bulletins:
- Microsoft Security Bulletin MS01-004
- Microsoft Security Bulletin MS00-100
- Microsoft Security Bulletin MS00-086
- Microsoft Security Bulletin MS00-080
- Microsoft Security Bulletin MS00-078
- Microsoft Security Bulletin MS00-063
- Microsoft Security Bulletin MS00-060
- Microsoft Security Bulletin MS00-057
- Microsoft Security Bulletin MS00-044
- Microsoft Security Bulletin MS00-031
- Microsoft Security Bulletin MS00-030
- Microsoft Security Bulletin MS00-023
- Microsoft Security Bulletin MS00-019
- Microsoft Security Bulletin MS00-018
- Microsoft Security Bulletin MS99-061
- Microsoft Security Bulletin MS99-058
- Microsoft Security Bulletin MS99-053
- Microsoft Security Bulletin MS99-039
- Microsoft Security Bulletin MS99-029
- Microsoft Security Bulletin MS99-022
- Microsoft Security Bulletin MS99-019
- Microsoft Security Bulletin MS99-003
The IIS 5.0 patch supersedes those that are provided in the following security bulletins:
- Microsoft Security Bulletin MS01-023
- Microsoft Security Bulletin MS01-016
- Microsoft Security Bulletin MS01-014
- Microsoft Security Bulletin MS01-004
- Microsoft Security Bulletin MS00-100
- Microsoft Security Bulletin MS00-086
- Microsoft Security Bulletin MS00-080
- Microsoft Security Bulletin MS00-078
- Microsoft Security Bulletin MS00-060
- Microsoft Security Bulletin MS00-058
- Microsoft Security Bulletin MS00-057
- Microsoft Security Bulletin MS00-044
- Microsoft Security Bulletin MS00-031
- Microsoft Security Bulletin MS00-030
- Microsoft Security Bulletin MS00-023
- Microsoft Security Bulletin MS00-019
Verifying patch installation
IIS 4.0:
To verify that the patch has been installed on the computer, confirm that the following registry key has been created on the computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q295534
To verify the individual files, consult the file manifest in the following Knowledge Base article:
295534 MS01-026: Superfluous decoding operation can allow command execution through IIS
:
To verify that the patch has been installed on the computer, confirm that the following registry key has been created on the computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q293826
To verify the individual files, use the date/time and version information that is provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q293826\Filelist
Caveats
The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in the patch, because they require administrative action rather than a software change. Administrators should ensure that in addition to applying this patch, they have also taken the administrative action that is discussed in the following bulletins:
- Microsoft Security Bulletin MS00-028
- Microsoft Security Bulletin MS00-025
- Microsoft Security Bulletin MS99-025 (this bulletin discusses the same issue as Microsoft Security Bulletin MS98-004)
- Microsoft Security Bulletin MS99-013
The patch does not include fixes for vulnerabilities that involve non-IIS products such as Front Page Server Extensions and Index Server, even though these products are closely associated with IIS and are typically installed on IIS servers. At this writing, the bulletins that discuss these vulnerabilities are the following:
- Microsoft Security Bulletin MS01-025
- Microsoft Security Bulletin MS00-084
- Microsoft Security Bulletin MS00-006
Customers who have disabled WebDAV on IIS 5.0 servers should ensure that they reenable it prior to installing the patch, in order to ensure that an update version of Httpext.dll is installed. For more information, see the following Knowledge Base article:
241520 How to disable WebDAV for IIS 5.0
Customers using IIS 4.0 should ensure that they have followed the correct installation order before installing this or any security patch. For more information, see the following Microsoft Web site:
The patch prevents FTP logons using UPN notation (that is, userid@domain).
Localization
Localized versions of this patch are available from the download locations that are listed in the "Patch Availability" section.
Obtaining other security patches
Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the Windows Update Web site:
All patches that are available through Windows Update are also available in a redistributable form from the Windows Update corporate site: