I recently ran the Microsoft Network Security Hotfix Checker (hfnetchk.exe) tool on my IIS 5.0 server, which I had patched with Windows 2000 Service Pack 2 (SP2) and MS01-044 (15 August 2001 Cumulative Patch for IIS). Hfnetchk reported that MS01-025 (Index Server Search Function Contains Unchecked Buffer) wasn't installed. This hotfix appears with IIS hotfixes on the Microsoft Security Bulletin Search Web page (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp). MS01-044 says it includes all IIS hotfixes, so what's the problem?

I answered a similar question last month, so refer to my December 2001 column for a more detailed answer. It's worth noting, however, that if you read the Caveats information under the "Additional Information About this Patch" section of MS01-044's documentation, it states that MS01-044 doesn't include these hotfixes:

  • MS01-043 (NNTP Service Contains Memory Leak)
  • MS01-025
  • MS00-084 (Patch Available for "Indexing Services Cross Site Scripting" Vulnerability)
  • MS00-006 (Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability)

Consequently, Hfnetchk is correct; MS01-025, which is an important hotfix, is missing. (You can download Hfnetchk from http://support.microsoft.com/support/kb/articles/q303/2/ 15.asp.)