search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters

Vulnerability Note VU#952336

Original Release Date: 2001-06-19 | Last Revised: 2001-08-16


A vulnerability exists in the Indexing services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. Exploitations of this vulnerability allows a remote intruder to run arbitrary code on the victim machine.


There is a remotely exploitable buffer overflow in the ISAPI (Indexing Service Application Programming Interface) extension (IDQ.DLL) installed with most versions of IIS 4.0 and 5.0. This affects Windows NT 4.0, Windows 2000 (Server and Professional), Windows 2000 Datacenter OEM distributions, Indexing Server 2.0, and the Indexing Services on all Windows 2000 platforms; however, not all of these instances are vulnerable by default. The beta versions of Windows XP are vulnerable by default.

The only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in MS01-033:

The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability.

When this buffer overflow is exploited, a remote user may be able run arbitrary code on the victim machine with SYSTEM privileges (which the IIS service has by default).

Microsoft has released patches for this vulnerability that can be downloaded from (NT) (Windows 2000)

For more information, see MS01-033 and the eEye Digital Security bulletin.

Microsoft has released a patch which supercedes the two listed above. Please see MS01-044 for more information.


Remote intruders can execute arbitrary code with SYSTEM privileges in the Local System security context.


Apply patches for vulnerable Windows NT 4.0 and Windows 2000 systems:
Windows NT 4.0:
Windows 2000 Professional, Server and Advanced Server:

Users of Windows 2000 Datacenter Server software should contact their original equipment manufacturer (OEM) for patches.

Microsoft has released a patch which supercedes the two listed above. Please see MS01-044 for more information.


All affected versions of IIS/Indexing Services can be protected against exploits of this vulnerbility by removing script mappings for for Internet Data Administration (.ida) and Internet Data Query (.idq) files. However, Microsoft makes no guarantees such mappings will not be recreated when installing other related software components.

Users of beta copies of Windows XP should upgrade to a newer version of the software when it becomes available.

Vendor Information


Microsoft Affected

Notified:  June 18, 2001 Updated: August 16, 2001



Vendor Statement

Microsoft has released the following advisory regarding this issue: MS01-033

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Microsoft has released a patch which supercedes the ones listed in MS01-033. Please see MS01-044 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Our thanks to Microsoft Corporation and eEye Digital Security for contributing technical information about this vulnerability.

This document was written by Jeffrey S. Havrilla

Other Information

CVE IDs: CVE-2001-0500
CERT Advisory: CA-2001-13
Severity Metric: 69.30
Date Public: 2001-06-18
Date First Published: 2001-06-19
Date Last Updated: 2001-08-16 14:28 UTC
Document Revision: 30

Sponsored by CISA.