Microsoft patches ten IIS vulnerabilities
John McCormick
Published: 29 Apr 2002 13:39 BST
If you have a Web server running IIS on Windows NT 4.0 or Windows 2000 (or even Windows XP), you've got some new security problems to deal with. In what can only be viewed as a bad week for Microsoft, the company recently disclosed that a full double handful of ten formerly unpatched vulnerabilities exist in Internet Information Server (IIS)--and several of them have been rated as critical threats.
Some of the vulnerabilities are buffer overruns that can allow attackers to run arbitrary code on the server or to open the servers to host, or be the target of, denial of service attacks. Other flaws are less critical but could still cause damage.
If you're running almost any version of IIS, you need to update it with the latest patches form Microsoft.
In MS02-018, which describes these 10 vulnerabilities and the associated patches, Microsoft indicates the single exception. "Beta versions of .NET Server after Build 3605 contain fixes for all of the vulnerabilities affecting IIS 6.0. As discussed in the [MS02-018] FAQ, Microsoft is working directly with the small number of customers who are using the .NET Server beta version in production environments to provide immediate remediation for them.
Risk levels--low to critical
Since at least three of these vulnerabilities affecting IIS 4.0, IIS 5.0, and IIS 5.1 are rated critical by Microsoft, the cumulative patches are very important unless you have installed IIS Lockdown Tool according to best practices and don't need the services that Lockdown disables.
Applicability
- IIS 4.0 (Windows NT 4.0)--Active Server Pages (ASP) ISAPI extension buffer overflow (CAN-2002-0079 chunked encoding memory), HTTP header field parsing buffer overflow (CAN-2002-0150), server-side includes filename and size verification buffer overflow (CAN-2002-0149), .htr file request buffer overflow (CAN-2002-0071), FTP status request vulnerability (CAN-2002-0073), ISAPI filter error generation and cross-site scripting (CAN-2002-0072, CAN-2002-0074, CAN-2002-0148, and CAN-2002-0075).
- IIS 5.0 (Windows 2000)--ASP ISAPI extension buffer overflow (CAN-2002-0079 chunked encoding memory), HTTP header field parsing buffer overflow (CAN-2002-0150), server-side includes filename and size verification buffer overflow (CAN-2002-0149), .htr file request buffer overflow (CAN-2002-0071), FTP status request vulnerability (CAN-2002-0073), ISAPI filter error generation and cross-site scripting (CAN-2002-0072, CAN-2002-0074, CAN-2002-0148, and CAN-2002-0075).
- IIS 5.1 (Windows XP)--ASP ISAPI buffer overflow (data transfer), HTTP header field parsing buffer overflow (CAN-2002-0150), server-side includes filename and size verification buffer overflow (CAN-2002-0149), FTP status request vulnerability (CAN-2002-0073), ISAPI filter error generation and cross-site scripting (CAN-2002-0072, CAN-2002-0074, CAN-2002-0148, and CAN-2002-0075).
As usual, Microsoft warns that the company does not test or report on vulnerabilities in any older versions of software that the company no longer supports.
Previous
Did you find this article useful?
96 out of 178 people found this useful
- Share this article:
