There is an information disclosure vulnerability in the Indexing Service because of the way that it handles query validation. The vulnerability could allow an attacker to run client-side script on behalf of a user. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.
By default, Internet Information Services (IIS) is not installed on Windows XP or on Windows Server 2003.
On Windows Server 2003, the Indexing Service is not enabled by default.
On Windows Server 2003, even when the Indexing Service is installed, by default it is not accessible from IIS. Manual steps are required to enable IIS to become a Web-based interface for the Indexing Service. By default the Indexing Service is used only to perform local and remote file system queries.
Recommendations: Evaluate urgency based on your installation, and apply the patch.
Sep 12th 2006
1 decade ago