TUCoPS :: Web :: IIS :: aa200102.txt

Microsoft IIS Hotfix Summary

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-2001.02                   AUSCERT Advisory
                       Microsoft IIS Hotfix Summary

                                11 May 2001

Last Revised: -- 16 May 2001

- ---------------------------------------------------------------------------

Since the publication of this advisory, Microsoft have released Security
Bulletin MS01-026 (redistributed as AUSCERT ESB-2001.203), which in
addition to addressing three newly discovered vulnerabilities is described
by Microsoft as a cumulative patch that includes the functionality of all
security patches released to date for IIS 5.0, and all patches released
for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5.

AusCERT encourages sites to evaluate the information contained in Microsoft
Security Bulletin MS01-026, available from:

	ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.203

The canonical Security Bulletin MS01-026 contains information critical to
the application of the cumulative patch and is available from:

	http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

Microsoft Security Bulletin MS01-026 notes that some vulnerabilities in
IIS 4.0 are not addressed by this patch and require further administrative
action. AusCERT member sites are encouraged to follow the additional
procedures noted by this bulletin where required.

- ---------------------------------------------------------------------------

Due to recent attacks against sites using Microsoft Internet Information
Server, AusCERT has compiled a summary of hotfixes available to address
vulnerabilities in IIS. Please note that the patches, hotfixes and
procedures listed below are only those required since the latest Service
Pack for Windows NT or Windows 2000. This advisory assumes that you have
installed Service Pack 6a for Windows NT or Service Pack 1 for Windows
2000.

AusCERT encourages sites to evaluate which of the following vulnerabilities
apply to them and install the appropriate patch as soon as possible. This
should be done regardless of the risk level we have associated with each
vulnerability.

This document has been divided into four sections -

    1. Vulnerabilities in IIS 4.0 Running on Windows NT 4 SP6a
    2. Vulnerabilities in IIS 5.0 Running on Windows 2000 SP1
    3. Vulnerabilities Common to Both ISS 4.0 and IIS 5.0
    4. Microsoft Checklists and Tools

- ---------------------------------------------------------------------------

1.  IIS 4.0 Running on Windows NT 4 SP6a

1.1 'High Risk' Vulnerabilities

These vulnerabilities are considered high risk due to one or more of the
following:
    + their potential damage
    + the lack of restrictions for use
    + recent or significant activity reported to AusCERT

- --------
MS98-004 - Unauthorized ODBC Data Access with RDS and IIS
MS99-025 - Unauthorized Access to IIS Servers Through ODBC Data Access with
           RDS
- --------

This vulnerability allows a remote user to execute arbitrary code as a
non-Administrator user on the host system. No patch is available for this
problem as it can be fixed by a configuration change. This is not a flaw in
IIS itself - rather in the Microsoft Data Access Components (MDAC).

Due to activity reported to AusCERT, we regard this as a high risk
vulnerability.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS99-025.asp

and information on the configuration change required can be found at:

    http://www.microsoft.com/technet/security/bulletin/fq99-025.asp


- --------
MS00-018 - Patch Available for "Chunked Encoding Post" Vulnerability 
- --------

This vulnerability can allow a malicious web visitor to consume the free
memory of the web server, rendering it unable to perform useful tasks.

Due to the simplicity of this attack, AusCERT considers this to be a high
risk vulnerability.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-018.asp

and the patch can be found at:

    x86:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19761

    Alpha:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19762


- --------
MS00-063 - Patch Available for "Invalid URL" Vulnerability
- --------

This vulnerability can allow a malicious web visitor to cause the web server
to fail, creating a denial of service.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-063.asp

and the patch can be found at:

    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24403


1.2 'Medium Risk' Vulnerabilities

These vulnerabilities are considered medium risk due to one or more of the
following:
    + mitigating factors
    + external requirements for exploitation
    + lack of activity reported to AusCERT

- --------
MS99-039 - Patch Available for "Domain Resolution" and "FTP Download"
           Vulnerabilities
- --------

The Domain Resolution vulnerability allows denied hosts to access your
web site, while the FTP Download vulnerability allows users to download
files from an FTP server with "No Access" permissions through a web
browser. The latter affects both IIS and Microsoft Commercial Internet
System 2.5.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS99-039.asp

and the patches can be found at:

    Domain Resolution
        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/IIS40/hotfixes-postSP6/security/IPRFTP-fix/ 
    
    FTP Download
    ftp://ftp.microsoft.com/bussys/mcis/mcis-public/fixes/usa/mcis25/security/ftpsvc-fix/ 


- --------
MS99-058 - Patch Available for "Virtual Directory Naming" Vulnerability
- --------

This vulnerability can allow a malicious user to view the contents of
certain files, including the source code of CGI scripts.

AusCERT considers this to be a low to medium risk, since the victim must
first have usually unreadable files that contain sensitive information in
their web area.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS99-058.asp

and the patch can be found at:

    x86:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16378 

    alpha:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16379 


- --------
MS00-006 - Patch Available for "Malformed Hit-Highlighting Argument"
           Vulnerability
- --------

This vulnerability allows a malicious web visitor to gain read-only access
to any file on the same logical drive as the web server. It may also cause
the web server to divulge complete path names in error messages, enabling
the web visitor to map the file structure of the web server.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-006.asp

and the patch can be found at:

    Index Server 2.0 (x86):
        http://www.microsoft.com/downloads/release.asp?ReleaseID=17727

    Index Server 2.0 (Alpha):
        http://www.microsoft.com/downloads/release.asp?ReleaseID=17728

    Indexing Services for Windows 2000 (x86):
        http://www.microsoft.com/downloads/release.asp?ReleaseID=17726


- --------
MS00-028 - Procedure Available to Eliminate "Server-Side Image Map Components"
           Vulnerability
- --------

This vulnerability can allow a malicious remote user to execute arbitrary
commands on the web server, but only with the permissions of the server
process (usually the permissions available to the IUSR_machinename account).

Due to a lack of activity reported to AusCERT, we regard this as a medium
risk.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-028.asp

and the procedure to corrent the vulnerability can be found at:

    http://www.microsoft.com/technet/security/bulletin/fq00-028.asp



1.3 'Low Risk' Vulnerabilities

These vulnerabilities are considered low risk due to one or more of the
following:
    + many mitigating factors
    + unusual circumstances in which the vulnerability can be exploited
    + required knowledge of internal information

- --------
MS99-053 - Patch Available for Windows "Multithreaded SSL ISAPI Filter"
           Vulnerability 
- --------

This vulnerability may allow a malicious user to eavesdrop on another user's
confidential data.

Due to the relative difficulty in manufacturing the correct chain of events
to exploit this vulnerability, AusCERT regards this as a low risk.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS99-053.asp

and the patch can be found at:

    x86:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=16186 

    Alpha:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=16187 


- --------
MS99-061 - Patch Available for "Escape Character Parsing" Vulnerability
- --------

This vulnerability allows a malicious web visitor to specify a file,
protected by a third party application, in such a way as to avoid that
application's permissions checking. Windows' own permissions can not be
circumvented in this way.

AusCERT considers this to be low risk, unless the victim is using such
a third party application. Any program that takes web data and directly
compares it to an access control list may be affected by this vulnerability.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS99-061.asp

and the patch can be found at:

    x86:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16357 

    Alpha:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16358 


- --------
MS00-025 - Procedure Available to Eliminate "Link View Server-Side Component"
           Vulnerability
- --------

This vulnerability can allow a malicious remote user to crash the web server,
causing a denial of service, or to execute arbitrary commands with System
permissions. This may lead to an Administrator compromise. The vulnerability
can be avoided by setting correct permissions on a DLL file.

Although this vulnerability can lead to an Administrator-level compromise,
AusCERT cosiders this to be a low risk vulnerability due to the fact that the
permissions for the DLL file should be set by default to not allow
unpriviledged users.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-.asp

and the procedure to correct the vulnerability can be found at:

    http://www.microsoft.com/technet/security/bulletin/fq00-025.asp


2.  IIS 5.0 Running on Windows 2000 SP1

2.1 'High Risk' Vulnerabilities

These vulnerabilities are considered high risk due to one or more of the
following:
    + their potential damage
    + the lack of restrictions for use
    + recent or significant activity reported to AusCERT

- --------
MS01-023 - Unchecked Buffer in ISAPI Extension Could Enable Compromise of
           IIS 5.0 Server
- --------

This vulnerability can allow a malicious web visitor to execute arbitrary code
on the web server in Local System context. This can lead to an Administrator
compromise.

Due to the ease of use and dangerous potential of this vulnerability, AusCERT
considers this a high risk vulnerability.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS01-023.asp

and the patch can be found at:

    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321


2.2 'Low Risk' Vulnerabilities

These vulnerabilities are considered low risk due to one or more of the
following:
    + many mitigating factors
    + unusual circumstances in which the vulnerability can be exploited
    + required knowledge of internal information

- --------
MS01-014 - Malformed URL can Cause Service Failure in IIS 5.0 and Exchange 2000
- --------

This vulnerability can enable a malicious web visitor to cause the web server
to fail. Both IIS and Microsoft Exchange 2000 are affected by this, although
in both cases it is IIS that fails.

Since the services that fail restart automatically almost immediately,
AusCERT considers this a low risk.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS01-014.asp

and the patch can be found at:

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28155

    Exchange 2000:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28369 


- --------
MS01-016 - Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources
- --------

This vulnerability can allow a malicious web visitor to consume CPU cycles
on the web server. Normal CPU use is returned once the server completes
parsing of the malformed request.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS01-016.asp

and the patch can be found at:

    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28564


3. Vulnerabilities Common to Both ISS 4.0 and IIS 5.0

3.1 'High Risk' Vulnerabilities

These vulnerabilities are considered high risk due to one or more of the
following:
    + their potential damage
    + the lack of restrictions for use
    + recent or significant activity reported to AusCERT

- --------
MS00-030 - Patch Available for "Malformed Extension Data in URL" Vulnerability
- --------

This vulnerability can cause a malicious web visitor to slow or temporarily
stop the web server.

Due to the simplicity of the potential attack, AusCERT considers this to be a
high risk.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-030.asp

and the patch can be found at:

    IIS 4.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20906

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20904 


- --------
MS00-078 - Patch Available for "Web Server Folder Traversal" Vulnerability
MS00-086 - Patch Available for "Web Server File Request Parsing" Vulnerability
- --------

This vulnerability can allow a malicious remote user to execute arbitrary
commands on the web server, but only with the permissions of the server
process (usually the permissions available to the IUSR_machinename account).
This particular exploit is simple to accomplish, and has been used commonly
as a simple web site defacement method.

AusCERT considers this to be a high risk as we have seen significant activity
using this vulnerability.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
    http://www.microsoft.com/technet/security/bulletin/MS00-086.asp

and the patch can be found at:
                                
    IIS 4.0:
        http://www.microsoft.com/ntserver/nts/downloads/critical/q277873

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547

Note that the IIS 5.0 patch in MS00-078 may cause a regression error - the
patches listed in MS00-086 should be installed rather than those in MS00-078.


3.2 'Medium Risk' Vulnerabilities

These vulnerabilities are considered medium risk due to one or more of the
following:
    + mitigating factors
    + external requirements for exploitation
    + lack of activity reported to AusCERT

- --------
MS00-023 - Patch Available for "Myriad Escaped Characters" Vulnerability
- --------

This vulnerability can cause the web server to monopolise CPU cycles while
parsing malformed requests. This effect only lasts as long as the server is
parsing the request.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-023.asp

and the patch can be found at:

    IIS 4.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292 

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286 


- --------
MS00-031 - Patch Available for "Undelimited .HTR Request" and "File
           Fragment Reading via .HTR" Vulnerabilities
MS00-044 - Patch Available for "Absent Directory Browser Argument"
           Vulnerability
MS01-004 - Malformed .HTR Request Allows Reading of File Fragments
- --------

These vulnerabilities may allow a malicious web visitor to either perform a
denial of service attack on the web server or to retrieve parts of normally
unreadable files from the server.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS01-004.asp

and the patch can be found at:

    IIS 4.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27492

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27491


- --------
MS00-060 - Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
MS00-084 - Patch Available for "Indexing Services Cross Site Scripting"
           Vulnerability
- --------

This vulnerability can enable a malicious web site to run a script with the
appearance of being a third party's site. Bulletin MS00-084 contains an
updated patch for IIS 5.0.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-060.asp
    http://www.microsoft.com/technet/security/bulletin/MS00-084.asp

and the patch can be found at:

    IIS 4.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25517 


- --------
MS00-100 - Patch Available for "Malformed Web Form Submission" Vulnerability 
- --------

This vulnerability can enable a malicious web visitor to cause the web server
to fail. In the case of IIS 4.0, the service would have to be restarted - 
IIS 5.0 should automatically restart immediately. Any connections active at
the time of the fail will be lost.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-100.asp

and the patch can be found at:

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277

    IIS 4.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704


3.3 'Low Risk' Vulnerabilities

These vulnerabilities are considered low risk due to one or more of the
following:
    + many mitigating factors
    + unusual circumstances in which the vulnerability can be exploited
    + required knowledge of internal information

- --------
MS00-019 - Patch Available for "Virtualized UNC Share" Vulnerability
- --------

This vulnerability can cause the web server to send the contents of certain
files, including the source code of CGI scripts, to a malicious web visitor.

Due to the relative difficulty in exploiting this vulnerability, AusCERT
considers it to be low risk.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-019.asp

and the patch can be found at:

    IIS 4.0 (x86):
        http://www.microsoft.com/downloads/release.asp?ReleaseID=18900

    IIS 4.0 (Alpha):
        http://www.microsoft.com/downloads/release.asp?ReleaseID=18901

    IIS 5.0 (x86):
        http://www.microsoft.com/downloads/release.asp?ReleaseID=19982


- --------
MS00-057 - Patch Available for "File Permission Canonicalization" Vulnerability
- --------

This vulnerability can allow certain files (CGI scripts included) to be
accessed with higher-than-normal permissions by a malicious web visitor.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-057.asp

and the patch can be found at:

    IIS 4.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667

    IIS 5.0:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23665


- --------
MS00-080 - Patch Available for "Session ID Cookie Marking" Vulnerability
- --------

This vulnerability could allow a malicious user to eavesdrop on a secure
session ID cookie being passed as plain text across the Internet.

AusCERT considers this to be a low risk, as it is difficult to exploit.

The latest version of this security bulletin can be found at:

    http://www.microsoft.com/technet/security/bulletin/MS00-080.asp

and the patch can be found at:

    IIS 4.0 (x86):
        http://www.microsoft.com/ntserver/nts/downloads/critical/q274149

    IIS 4.0 (Alpha):
        http://support.microsoft.com/directory

    IIS 5.0:
        http://www.microsoft.com/Windows2000/downloads/critical/q274149 



4. Microsoft Checklists and Tools

Microsoft has made several checklists and security tools available. They can
be found at:

    Secure IIS 5 Checklist
    http://www.microsoft.com/technet/security/iis5chk.asp

    IIS 4.0 Security Checklist
    http://www.microsoft.com/technet/security/iischk.asp

    Hotfix Checking Tool for IIS 5.0
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168

    Security Planning Tool for IIS
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24973

    General Tools and Checklists page
    http://www.microsoft.com/technet/security/tools.asp

AusCERT also has some checklists and security documents available. They can
be found at:

    Windows NT Configuration Guidelines
    http://www.auscert.org.au/Information/Auscert_info/Papers/win_configuration_guidelines.html

    Windows NT Security and Configuration Resources
    http://www.auscert.org.au/Information/Auscert_info/Papers/win_resources.html

- ---------------------------------------------------------------------------

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation.  The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AusCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AusCERT
Advisories, and other computer security information.

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane        
Qld  4072     
AUSTRALIA       


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

    Advisory Created  11/05/2001
    Advisory Released 14/05/2001
    Advisory Revised  16/05/2001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOzMr+Sh9+71yA2DNAQFO8QP8C9CYa9J3qRgInJVAYZIIHYjrs9mpmbPz
dO0TFYfzJINQfKorTAfp0WXHHe/zpSiy2HfnA1eO40/sZW5aR8nL0bG2OzvBkJR0
bxM8J7XP2rH3/+2Q+dzpdoJxo6KCFGVUUQfC/jmbUt3Qm4u56q59s8B72Atc556v
C02wdLQolR8=
=E0BN
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH