Released: 02 November 2000
Revised: 09 April 2003 (version 2.0)
Software: Microsoft Indexing Services for Windows 2000, Microsoft Indexing Services for Windows NT 4.0
Impact: Cross Site Scripting
Reason for Revision:
Subsequent to the release of this bulletin, it was discovered that an available package for the version of the Indexing Service which shipped with the NT 4.0 Option Pack had never been released.
The bulletin is being updated to include the download locations for that version of the fix.
On February 20, 2000, Microsoft and the CERT Coordination Center published information on a newly-identified security vulnerability affecting all web server products. This vulnerability, known as Cross-Site Scripting (CSS), results when web applications dont properly validate inputs before using them in dynamic web pages.
If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use the vulnerability to "inject" script into a web page created by the other web site, which would then be delivered to the user. The net effect would be to cause the malicious users script to run on the users machine using the trust afforded the other site.
Download: Indexing Services Patch for Windows 2000
Download: Indexing Services patch for NT 4.0
News source: In-House