This patch eliminates a security vulnerability in a component that ships as part of Microsoft Windows 2000. The vulnerability could allow a malicious Web site operator to learn the names and properties of files and folders on the machine of a visiting user.
An ActiveX control that ships as part of Indexing Service is incorrectly marked as 'safe for scripting', thereby enabling it to be executed by Web site applications. The control at issue here could be used to enumerate files and folders and to view their properties. It would not be necessary for Indexing Service to be running in order for the vulnerability to be exploited; however, if it were running, the control also could be used to search for files containing specific words. The vulnerability could not be used to read files, except via a fairly unlikely scenario discussed in detail in the FAQ. It could not be used under any conditions to change, add, or delete information on the user's computer.
A patch has been provided for Indexing Service 3.0, but not for Index Server 2.0. This is primarily due to the different delivery vehicles for the two versions. Indexing Service 3.0 ships as part of all versions of Windows 2000; thus, the vulnerability could affect all Windows 2000 users. In contrast, Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack; thus, to be affected by the vulnerability in Index Server 2.0, a Webmaster would need to browse untrustworthy Internet sites from a Web server, which is contrary to normal recommended practices.