Related Resources • Glossary of terms

Elsewhere on the Web • Security Bulletin • eEye Digital • Netcraft Survey

In a strongly worded security bulletin issued June 18, 2001, Microsoft® warned of a flaw in their Microsoft Index Server 2.0 and Indexing Service in Windows 2000 which could "give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group." This could also include replacing legitimate files with viruses. Microsoft urges all system administrators of web servers using Microsoft® Windows NT® 4.0 or Windows® 2000 to install the provided patch.

The situation is worsened by the number of Web servers potentially affected. According to May 2001 survey data from Netcraft nearly 6 million sites, or almost 21 percent of the Web use the flawed software. The Indexing Service in Windows XP beta is also affected, though Microsoft pledges to have the fix incorporated in the final release of that product.

The vulnerability was discovered by eEye Digital and reported to Microsoft. While Microsoft's security checklist for IIS 4.0 and IIS 5.0 include disabling the script mappings that make the vulnerability possible, using the Add/Remove Program in Control Panel to add or remove Windows components reinstates the default mapping. The Indexing Service is vulnerable only if IIS is running.

For further details on the vulnerability and to download the critical patch, visit:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp