MS02-018: April 2002 Cumulative Patch for Internet Information Services

Article ID: 319733 - View products that this article applies to.
This article was previously published under Q319733
Expand all | Collapse all

On This Page

SUMMARY

Microsoft has released a cumulative patch for Internet Information Server (IIS) 4.0, Internet Information Services (IIS) 5.0, and IIS 5.1 that includes updates for the issues that are described in the following Microsoft Knowledge Base articles:
297860
(http://support.microsoft.com/kb/297860/EN-US/ )
MS01-044: IIS 5.0 Security and Post-Windows NT 4.0 SP5 IIS 4.0 Patch Rollup
307934
(http://support.microsoft.com/kb/307934/ )
Locking down WebDAV through ACL still allows PUT and DELETE requests
313489
(http://support.microsoft.com/kb/313489/ )
You can place content headers in the body of a response if an ISAPI filter is installed
314339
(http://support.microsoft.com/kb/314339/EN-US/ )
MS02-018: Patch Available for Access Violation in URL Error Handling Vulnerability
317035
(http://support.microsoft.com/kb/317035/EN-US/ )
MS02-018: Patch Available for Cross-Site Scripting in Redirect Response Message Vulnerability
317196
(http://support.microsoft.com/kb/317196/EN-US/ )
MS02-018: Patch Available for Denial of Service Through FTP Status Request Vulnerability
317895
(http://support.microsoft.com/kb/317895/EN-US/ )
MS02-018: Patch Available for Cross-Site Scripting in IIS Help File Search Facility Vulnerability
318091
(http://support.microsoft.com/kb/318091/EN-US/ )
MS02-018: Patch Available for Buffer Overrun in HTR ISAPI Extension Vulnerability
319688
(http://support.microsoft.com/kb/319688/EN-US/ )
MS02-018: Patch Available for Chunked Encoding Transfer Mechanism Vulnerability
320374
(http://support.microsoft.com/kb/320374/EN-US/ )
MS02-018: Patch Available for Cross-site Scripting in Custom 404 Error Page Vulnerability
321123
(http://support.microsoft.com/kb/321123/EN-US/ )
MS02-018: Patch Available for Buffer Overrun in ASP Server-Side Include Function Vulnerability
321130
(http://support.microsoft.com/kb/321130/EN-US/ )
MS02-018: Patch Available for Buffer Overrun in HTTP Header Handling Vulnerability
NOTE: These patches do not include fixes for vulnerabilities involving non-IIS products, such as the Front Page Server Extensions and Index Server, even though these products are closely associated with IIS and are typically installed on IIS servers. There is, however, one exception. The fix for the vulnerability that affects Index Server, which is discussed in Microsoft Security Bulletin MS01-033
(http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx)
, is included in this patch because of the seriousness of the issue for IIS servers. At the time that this article was written, the Microsoft Security Bulletins that discuss these vulnerabilities are as follows:
Microsoft Security Bulletin MS01-043
(http://www.microsoft.com/technet/security/bulletin/MS01-043.mspx)


Microsoft Security Bulletin MS01-025
(http://www.microsoft.com/technet/security/bulletin/ms01-025.mspx)


Microsoft Security Bulletin MS00-084
(http://www.microsoft.com/technet/security/bulletin/ms00-084.mspx)


Microsoft Security Bulletin MS00-018
(http://www.microsoft.com/technet/security/bulletin/ms00-018.mspx)


Microsoft Security Bulletin MS00-006
(http://www.microsoft.com/technet/security/bulletin/ms00-006.mspx)
All of the previously listed fixes and cumulative patches are included in Windows 2000 Service Pack 3. For more information about the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
260910
(http://support.microsoft.com/kb/260910/ )
How to obtain the latest Windows 2000 service pack
NOTE: The fixes for the following vulnerabilities that affect IIS 4.0 are not included in the patch because they require administrative action instead of a software change. Administrators should make sure that in addition to applying this patch, they also take the administrative action that is described in the following bulletins:
Microsoft Security Bulletin MS00-028
(http://www.microsoft.com/technet/security/bulletin/ms00-028.mspx)


Microsoft Security Bulletin MS00-025
(http://www.microsoft.com/technet/security/bulletin/ms00-025.mspx)


Microsoft Security Bulletin MS99-025
(http://www.microsoft.com/technet/security/bulletin/ms99-025.mspx)
(which discusses the same issue as Microsoft Security Bulletin MS98-004)
(http://www.microsoft.com/technet/security/bulletin/ms98-004.mspx)


Microsoft Security Bulletin MS99-013
(http://www.microsoft.com/technet/security/bulletin/ms99-013.mspx)
For more information about the latest service pack for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
322389
(http://support.microsoft.com/kb/322389/ )
How to obtain the latest Windows XP service pack
For more information about the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
260910
(http://support.microsoft.com/kb/260910/ )
How to obtain the latest Windows 2000 service pack
Back to the top | Give Feedback

MORE INFORMATION

For more information about this patch, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx
(http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx)

Internet Information Services 5.1

To resolve these problems, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
322389
(http://support.microsoft.com/kb/322389/ )
How to obtain the latest Windows XP service pack
Before you apply the update that is described in the following section, back-up your metabase.

The following file is available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download the Q319733 package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c87bad03-a4b8-4199-8259-8a37af61ef63)


You do not have to restart your computer after you apply this update. The installer stops and restarts the IIS service automatically. If you are prompted to restart your computer, ignore the prompt.

The Q319733 package supports the following switches: 
   -x   Extract the files for later installation
   -u   Unattended mode
   -f   Force other programs to close when the computer shuts down   
   -n   Do not back up files for uninstall
   -o   Overwrite OEM files without prompting
   -z   Do not restart when installation is complete
   -q   Quiet mode (no user interaction)
   -l   List installed hotfixes
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version      Size     File name
   -------------------------------------------------------
   27-Mar-2002  18:53  5.1.2600.41  338,944  Asp51.dll        
   20-Mar-2002  14:59                 2,411  Default.asp
   27-Mar-2002  18:53  5.1.2600.41  117,248  Ftpsv251.dll     
   27-Mar-2002  18:54  6.0.2600.41  240,640  Httpext.dll      
   20-Mar-2002  14:59                19,224  Query.asp
   20-Mar-2002  14:59                 6,527  Search.asp
   20-Mar-2002  20:12  5.1.2600.40    9,216  Spiisupd.exe     
   21-Mar-2002  17:43  5.2.1.0        3,584  Spmsg.dll        
   21-Mar-2002  17:46  5.2.1.0       41,472  Spuninst.exe     
   27-Mar-2002  18:53  5.1.2600.41  339,456  W3svc.dll
NOTE: Due to file dependencies, this update may contain additional files.

Internet Information Services 5.0

To resolve these problems, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
260910
(http://support.microsoft.com/kb/260910/ )
How to obtain the latest Windows 2000 service pack
Before you apply the update that is described in the following section, back-up your metabase. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
300672
(http://support.microsoft.com/kb/300672/ )
How to create a metabase backup in IIS 5

The following files are available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
English Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/en-us/q319733_w2k_sp3_x86_en.exe)


Collapse this imageExpand this image
Download
Arabic Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/ar/q319733_w2k_sp3_x86_ar.exe)


Collapse this imageExpand this image
Download
Chinese (Simplified) Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/cn/q319733_w2k_sp3_x86_cn.exe)


Collapse this imageExpand this image
Download
Chinese (Traditional) Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/tw/q319733_w2k_sp3_x86_tw.exe)


Collapse this imageExpand this image
Download
Czech Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/cs/q319733_w2k_sp3_x86_cs.exe)


Collapse this imageExpand this image
Download
Danish Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/da/q319733_w2k_sp3_x86_da.exe)


Collapse this imageExpand this image
Download
Dutch Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/nl/q319733_w2k_sp3_x86_nl.exe)


Collapse this imageExpand this image
Download
Finnish Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/fi/q319733_w2k_sp3_x86_fi.exe)


Collapse this imageExpand this image
Download
French Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/fr/q319733_w2k_sp3_x86_fr.exe)


Collapse this imageExpand this image
Download
German Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/de/q319733_w2k_sp3_x86_de.exe)


Collapse this imageExpand this image
Download
Greek Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/el/q319733_w2k_sp3_x86_el.exe)


Collapse this imageExpand this image
Download
Hebrew Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/he/q319733_w2k_sp3_x86_he.exe)


Collapse this imageExpand this image
Download
Hungarian Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/hu/q319733_w2k_sp3_x86_hu.exe)


Collapse this imageExpand this image
Download
Italian Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/it/q319733_w2k_sp3_x86_it.exe)


Collapse this imageExpand this image
Download
Japanese Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/ja/q319733_w2k_sp3_x86_ja.exe)


Collapse this imageExpand this image
Download
Japanese NEC Language Version
(http://download.microsoft.com/download/iis50/patchnec/q319733/nt5/ja/q319733_w2k_sp3_nec98_ja.exe)


Collapse this imageExpand this image
Download
Korean Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/ko/q319733_w2k_sp3_x86_ko.exe)


Collapse this imageExpand this image
Download
Norwegian Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/no/q319733_w2k_sp3_x86_no.exe)


Collapse this imageExpand this image
Download
Polish Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/pl/q319733_w2k_sp3_x86_pl.exe)


Collapse this imageExpand this image
Download
Portuguese (Brazilian) Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/pt-br/q319733_w2k_sp3_x86_br.exe)


Collapse this imageExpand this image
Download
Portuguese Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/pt/q319733_w2k_sp3_x86_pt.exe)


Collapse this imageExpand this image
Download
Russian Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/ru/q319733_w2k_sp3_x86_ru.exe)


Collapse this imageExpand this image
Download
Spanish Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/es/q319733_w2k_sp3_x86_es.exe)


Collapse this imageExpand this image
Download
Swedish Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/sv/q319733_w2k_sp3_x86_sv.exe)


Collapse this imageExpand this image
Download
Turkish Language Version
(http://download.microsoft.com/download/iis50/patch/q319733/nt5/tr/q319733_w2k_sp3_x86_tr.exe)


Release Date: April 10, 2002

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591
(http://support.microsoft.com/kb/119591/ )
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

After you apply this update, space characters such as white space, tabs, carriage returns, and line feeds in the IIS log file are replaced with plus signs (+). If you have a log analyzer that parses the IIS log file, you may have to update it to accommodate this change. To work around this problem while you update your log analyzer, extract the patch with the "-x" switch and do not install the Iislog.dll file.

You do not have to restart your computer after you apply this update, because the installer stops and restarts the IIS service automatically.

The Q319733 package supports the following switches: 
   -x Extract the files for later installation
   -y Perform uninstall (only with /m or /q)
   -f Force apps closed at shutdown
   -n Do not create uninstall directory
   -z Do not reboot when update completes
   -q Quiet Mode -- no user interface
   -m Unattended mode
   -l List installed hotfixes
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version        Size     File name
   ----------------------------------------------------------
   03-Apr-2002  22:17  5.0.2195.5255  245,520  Adsiis.dll       
   03-Apr-2002  22:17  5.0.2195.5255  333,072  Asp.dll          
   22-Mar-2002  20:15                   2,413  Default.asp
   08-Oct-2001  20:38  4.0.2.4701     593,976  Fp4autl.dll      
   03-Apr-2002  22:17  5.0.2195.3649  299,792  Fscfg.dll        
   03-Apr-2002  22:17  5.0.2195.5255    8,464  Ftpctrs2.dll     
   03-Apr-2002  22:17  5.0.2195.5255    6,416  Ftpmib.dll       
   03-Apr-2002  22:17  5.0.2195.5255  117,008  Ftpsvc2.dll      
   04-Apr-2002  03:37  5.0.2195.5255  246,032  Httpext.dll      
   03-Apr-2002  22:17  5.0.2195.5255    9,488  Httpmib.dll      
   03-Apr-2002  22:17  5.0.2195.5255   56,592  Httpodbc.dll     
   03-Apr-2002  22:17  5.0.2195.4966  121,104  Idq.dll          
   03-Apr-2002  22:17  5.0.2195.5283   78,608  Iislog.dll       
   03-Apr-2002  22:17  5.0.2195.5255  122,640  Iisrtl.dll       
   03-Apr-2002  22:17  5.0.2195.5255   13,584  Infoadmn.dll     
   03-Apr-2002  22:17  5.0.2195.5255  246,032  Infocomm.dll     
   03-Apr-2002  22:17  5.0.2195.5255   62,736  Isatq.dll        
   03-Apr-2002  22:17  5.0.2195.5247   46,352  Ism.dll          
   03-Apr-2002  22:17  5.0.2195.5255   26,896  Mdsync.dll       
   03-Apr-2002  22:17  5.0.2195.4661   76,560  Msw3prt.dll      
   23-Mar-2002  00:36  5.0.2195.5247    6,416  Perfvd.exe       
   22-Mar-2002  20:15                  19,178  Query.asp
   22-Mar-2002  20:15                   5,571  Search.asp
   21-Mar-2002  20:06  5.0.2195.5217    9,488  Spiisupd.exe     
   03-Apr-2002  22:17  5.0.2195.5255   41,232  Ssinc.dll        
   03-Apr-2002  22:17  5.0.2195.5255    7,440  W3ctrs.dll       
   03-Apr-2002  22:17  5.0.2195.5269  348,944  W3svc.dll
NOTE: Due to file dependencies, this update may contain additional files. This update requires Windows 2000 Service Pack 2 (SP2) or SP1
(http://support.microsoft.com/default.aspx?scid=kb;en-us;260910)
.

Internet Information Server 4.0

Before you apply this update, backup your metabase. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
300675
(http://support.microsoft.com/kb/300675/ )
How to create a metabase backup by using Internet Information Server 4.0 in Windows NT
The following file is available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download the Q319733 Package now
(http://www.microsoft.com/downloads/details.aspx?FamilyID=a39af519-5af1-496d-8463-7dfb17d7b83d&DisplayLang=en)
Release Date: April 10, 2002

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591
(http://support.microsoft.com/kb/119591/ )
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. Perform the following steps to avoid the need to restart your computer:

NOTE: Although you can avoid the need to restart your computer after applying this patch, the computer will NOT be considered patched and protected until after a restart. Unlike in Windows 2000 (IIS 5), in Windows NT 4.0 (IIS 4) the older .dll files are not automatically updated. The steps to avoid a restart should only be taken if you want to apply more than one patch before you restart the computer, and should always be followed by a restart.
  1. Stop all IIS services.
  2. Install the patch with the hotfix with "/z" switch.
  3. Restart the IIS services.
The Q319733 package supports the following switches: 
   -x Extract the files for later installation
   -y Perform uninstall (only with /m or /q)
   -f Force apps closed at shutdown
   -n Do not create uninstall directory
   -z Do not reboot when update completes
   -q Quiet Mode -- no user interface
   -m Unattended mode
   -l List installed hotfixes
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version     Size     File name
   ----------------------------------------------------
   26-Mar-2002  21:53  4.2.775.1   214,544  Adsiis.dll       
   26-Mar-2002  21:53  4.2.775.1   330,672  Asp.dll          
   02-Apr-2001  19:55  4.0.2.4701  593,976  Fp4autl.dll      
   26-Mar-2002  21:52  4.2.775.1    81,888  Ftpsvc2.dll      
   26-Mar-2002  21:52  4.2.775.1    55,392  Httpodbc.dll     
   13-Jul-2001  19:14  5.0.1782.4  193,296  Idq.dll          
   26-Mar-2002  21:53  4.2.775.1    98,912  Iischema.dll     
   26-Mar-2002  21:51  4.2.775.1    63,472  Iislog.dll       
   26-Mar-2002  21:51  4.2.775.1   185,792  Infocomm.dll     
   26-Mar-2002  21:51  4.2.775.1    29,520  Iscomlog.dll     
   26-Mar-2002  21:55  4.2.775.1    54,560  Ism.dll          
   26-Mar-2002  21:53  4.2.775.1    31,872  Mdsync.dll       
   26-Mar-2002  21:56  4.2.775.1     9,680  Schmupd.exe      
   26-Mar-2002  21:52  4.2.775.1    38,256  Ssinc.dll        
   26-Mar-2002  21:52  4.2.775.1    25,360  Sspifilt.dll     
   26-Mar-2002  21:52  4.2.775.1   230,592  W3svc.dll        
   26-Mar-2002  21:52  4.2.775.1    88,032  Wam.dll
NOTE: Due to file dependencies, this update may contain additional files. This update requires Windows NT 4.0 Service Pack 6a (SP6a)
(http://support.microsoft.com/default.aspx?scid=kb;en-us;152734)
.

Windows NT Server 4.0, Terminal Edition

Internet Information Server 4.0 is part of the Windows NT 4.0 Option Pack which is not supported on Windows NT Server 4.0, Terminal Server Edition. Patches for IIS 4.0 have been provided as part of the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP) only for customers who have installed the Option Pack to protect their computers during the migration to a supported operating system. For more information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:
317636
(http://support.microsoft.com/kb/317636/ )
Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package
Back to the top | Give Feedback

Properties

Article ID: 319733 - Last Review: May 30, 2007 - Revision: 6.6
APPLIES TO
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0
Keywords: 
kbhotfixserver kbqfe kbinfo kbsecurity kbwin2000presp3fix kbwin2000sp3fix kbwinxpsp1fix KB319733
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top