Three weeks before Windows 2000 is slated for widespread availability and it already needs a security patch. Microsoft Security Bulletin MS00-006 describes the patch, which fixes two vulnerabilities that affect Microsoft Index Server in Windows NT 4.0 and Indexing Services in Windows 2000. The vulnerabilities could allow a malicious user to read files on an NT/2000 Web server under certain conditions and reveal where Web files are located on the server.
Microsoft stresses that the problems would not allow anyone to change, delete, or add files to an NT/2000 Web server. However, because one vulnerability allows malicious users to locate files on a Web server, it is possible to then download those files using the other vulnerability. The company notes that the vulnerabilities are otherwise unrelated, though they both occur in Index Server ("Indexing Services" in Windows 2000).
Microsoft recommends that anyone using Windows NT 4.0 or Windows 2000 to host a Web site download and install this patch. You can find out more information about the vulnerabilities at the Microsoft TechNet Web site.
For Windows 2000 users, of course, this patch is somewhat interesting if only because it is the first such update to the new operating system. It's also extremely disappointing from an administrative standpoint because there's no way to slipstream the fix into a Windows 2000 install share and because the patch requires you to reboot the machine once it's installed. One of the primary selling points of Windows 2000 is that it requires far fewer reboots than Windows NT 4.0