This update resolves the "Specialized Header" vulnerability in Internet Information Services (IIS) 5.0, which ships with Windows 2000. Download now to prevent a malicious user from exploiting this vulnerability and causing your Web server to send the source code of .asp or .htr files to a visiting browser. Security recommendations advise against ever including sensitive information in .asp or .htr files.
IIS supports advanced file types such as .asp and .htr files, which are executed by a scripting engine on a server and are not sent to your browser, as .htm files are. IIS determines what scripting engine to use by checking file extensions. A malicious user could go to a Web site and add particular characters to the end of the Web site's URL, requesting further files within the site. IIS locates the correct advanced file, but does not recognize it as a file that needs processing by a scripting engine. Consequently, IIS sends the file to a browser as it does .htm files, revealing the file source code.