ISAPI Patch and WindowsUpdate

Daniel G. Epstein depstein at uchicago.edu
Fri Jul 20 02:48:24 GMT 2001


Hey all,

Just an additional note here, the updater application at 
http://windowsupdate.microsoft.com/ does not seem to display the relevant 
patch, Q300972, as being necessary for a system that is not running either 
the Index Server or Indexing Service.  However default installations of 
both IIS 4 and 5 are still vulnerable to this exploit even if the service 
is not installed.  Therefore, the patch must be downloaded from the actual 
KB site, which many users will not visit.  Interestingly, they also say you 
must reinstall this patch every time you update the system.  Maybe this 
will properly be fixed in SP3.

Cheers,

Dan


A boast of "I have been's,"   | Daniel G. Epstein
quoted from foolscap tomes,   | Network Security Officer,
is a shadow brushed away      | Network Security & Enterprise
by an acorn from an oak tree, |  Network Systems Administration
or a salmon in a pool.        | NSIT, The University of Chicago
                               | depstein at uchicago.edu

For PGP key see http://security.uchicago.edu/centerinfo/pgpkeys.shtml



More information about the unisog mailing list