This article was previously published under Q278499
This article has been archived. It is offered "as is" and will no longer be updated.
Microsoft has made an update available that addresses a potential security vulnerability that relates to the Webhits component (Webhits.dll) of the Windows 2000 and Windows NT 4.0 Indexing services. The vulnerability is the result of a feature in the Indexing service that allows users to specify alternate HTML to be used to highlight a match to query text. The feature lets users pass raw HTML as a parameter to a .htw file. This HTML is not escaped or scanned in any way. Because of this, users can then submit scripts embedded in the HTML. This vulnerability is known as Cross-Site Scripting (CSS). For more information about CSS, please see the "More Information" section of this article.
Note: The Indexing Service ships and installs with Windows 2000, but is not enabled by default. Users who are running web servers on Windows 2000 who have enabled Indexing Services are urged to apply this patch. The Indexing Service for Windows NT 4.0 ships with the NT Option Pack, and is not installed or enabled by default.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English-language version of this fix should have the following file attributes or later: Date Time Size File name Platform ----------------------------------------------------------- 10/31/2000 11:08am 42,768 Webhits.dll i386
Indexing Server 2.0
The following files are available for download from the Microsoft Download Center: All languages except Japanese NEC and Chinese - Hong Kong
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name --------------------------------------------------- 25-Feb-2003 06:53 5.0.1782.5 42,256 Webhits.dll
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
For more information about this vulnerability and the patch, please view the following Microsoft Web sites:
On February 20, 2000, Microsoft and the Computer Emergency Response Team (CERT) Coordination Center published information about a newly-identified security vulnerability affected all Web server products. This vulnerability, known as Cross-Site Scripting (CSS), results when Web programs don't properly validate inputs before using them in dynamic Web pages. If a malicious Web site operator were able to lure a user to his site, and had identified a third-party Web site that was vulnerable to CSS, the malicious Web site operator could potentially use the vulnerability to "inject" script into a Web page that was created by the other Web site, which would then be delivered to the user. The effect of this would be to cause the malicious user's script to run on the user's computer by using the trust from the other site.
The vulnerability can affect any software that runs on a Web server, accepts user input, and "blindly" uses it to generate Web pages. Microsoft has identified a component within the Windows 2000 and Windows NT 4.0 Indexing services that is vulnerable to this scenario and is releasing a bulletin and a patch to correct the problem.