-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2001.02 AUSCERT Advisory
Microsoft IIS Hotfix Summary
11 May 2001
Last Revised: -- 16 May 2001
- ---------------------------------------------------------------------------
Since the publication of this advisory, Microsoft have released Security
Bulletin MS01-026 (redistributed as AUSCERT ESB-2001.203), which in
addition to addressing three newly discovered vulnerabilities is described
by Microsoft as a cumulative patch that includes the functionality of all
security patches released to date for IIS 5.0, and all patches released
for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5.
AusCERT encourages sites to evaluate the information contained in Microsoft
Security Bulletin MS01-026, available from:
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.203
The canonical Security Bulletin MS01-026 contains information critical to
the application of the cumulative patch and is available from:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
Microsoft Security Bulletin MS01-026 notes that some vulnerabilities in
IIS 4.0 are not addressed by this patch and require further administrative
action. AusCERT member sites are encouraged to follow the additional
procedures noted by this bulletin where required.
- ---------------------------------------------------------------------------
Due to recent attacks against sites using Microsoft Internet Information
Server, AusCERT has compiled a summary of hotfixes available to address
vulnerabilities in IIS. Please note that the patches, hotfixes and
procedures listed below are only those required since the latest Service
Pack for Windows NT or Windows 2000. This advisory assumes that you have
installed Service Pack 6a for Windows NT or Service Pack 1 for Windows
2000.
AusCERT encourages sites to evaluate which of the following vulnerabilities
apply to them and install the appropriate patch as soon as possible. This
should be done regardless of the risk level we have associated with each
vulnerability.
This document has been divided into four sections -
1. Vulnerabilities in IIS 4.0 Running on Windows NT 4 SP6a
2. Vulnerabilities in IIS 5.0 Running on Windows 2000 SP1
3. Vulnerabilities Common to Both ISS 4.0 and IIS 5.0
4. Microsoft Checklists and Tools
- ---------------------------------------------------------------------------
1. IIS 4.0 Running on Windows NT 4 SP6a
1.1 'High Risk' Vulnerabilities
These vulnerabilities are considered high risk due to one or more of the
following:
+ their potential damage
+ the lack of restrictions for use
+ recent or significant activity reported to AusCERT
- --------
MS98-004 - Unauthorized ODBC Data Access with RDS and IIS
MS99-025 - Unauthorized Access to IIS Servers Through ODBC Data Access with
RDS
- --------
This vulnerability allows a remote user to execute arbitrary code as a
non-Administrator user on the host system. No patch is available for this
problem as it can be fixed by a configuration change. This is not a flaw in
IIS itself - rather in the Microsoft Data Access Components (MDAC).
Due to activity reported to AusCERT, we regard this as a high risk
vulnerability.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS99-025.asp
and information on the configuration change required can be found at:
http://www.microsoft.com/technet/security/bulletin/fq99-025.asp
- --------
MS00-018 - Patch Available for "Chunked Encoding Post" Vulnerability
- --------
This vulnerability can allow a malicious web visitor to consume the free
memory of the web server, rendering it unable to perform useful tasks.
Due to the simplicity of this attack, AusCERT considers this to be a high
risk vulnerability.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-018.asp
and the patch can be found at:
x86:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19761
Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19762
- --------
MS00-063 - Patch Available for "Invalid URL" Vulnerability
- --------
This vulnerability can allow a malicious web visitor to cause the web server
to fail, creating a denial of service.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-063.asp
and the patch can be found at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24403
1.2 'Medium Risk' Vulnerabilities
These vulnerabilities are considered medium risk due to one or more of the
following:
+ mitigating factors
+ external requirements for exploitation
+ lack of activity reported to AusCERT
- --------
MS99-039 - Patch Available for "Domain Resolution" and "FTP Download"
Vulnerabilities
- --------
The Domain Resolution vulnerability allows denied hosts to access your
web site, while the FTP Download vulnerability allows users to download
files from an FTP server with "No Access" permissions through a web
browser. The latter affects both IIS and Microsoft Commercial Internet
System 2.5.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS99-039.asp
and the patches can be found at:
Domain Resolution
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/IIS40/hotfixes-postSP6/security/IPRFTP-fix/
FTP Download
ftp://ftp.microsoft.com/bussys/mcis/mcis-public/fixes/usa/mcis25/security/ftpsvc-fix/
- --------
MS99-058 - Patch Available for "Virtual Directory Naming" Vulnerability
- --------
This vulnerability can allow a malicious user to view the contents of
certain files, including the source code of CGI scripts.
AusCERT considers this to be a low to medium risk, since the victim must
first have usually unreadable files that contain sensitive information in
their web area.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS99-058.asp
and the patch can be found at:
x86:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16378
alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16379
- --------
MS00-006 - Patch Available for "Malformed Hit-Highlighting Argument"
Vulnerability
- --------
This vulnerability allows a malicious web visitor to gain read-only access
to any file on the same logical drive as the web server. It may also cause
the web server to divulge complete path names in error messages, enabling
the web visitor to map the file structure of the web server.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-006.asp
and the patch can be found at:
Index Server 2.0 (x86):
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Index Server 2.0 (Alpha):
http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
Indexing Services for Windows 2000 (x86):
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726
- --------
MS00-028 - Procedure Available to Eliminate "Server-Side Image Map Components"
Vulnerability
- --------
This vulnerability can allow a malicious remote user to execute arbitrary
commands on the web server, but only with the permissions of the server
process (usually the permissions available to the IUSR_machinename account).
Due to a lack of activity reported to AusCERT, we regard this as a medium
risk.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-028.asp
and the procedure to corrent the vulnerability can be found at:
http://www.microsoft.com/technet/security/bulletin/fq00-028.asp
1.3 'Low Risk' Vulnerabilities
These vulnerabilities are considered low risk due to one or more of the
following:
+ many mitigating factors
+ unusual circumstances in which the vulnerability can be exploited
+ required knowledge of internal information
- --------
MS99-053 - Patch Available for Windows "Multithreaded SSL ISAPI Filter"
Vulnerability
- --------
This vulnerability may allow a malicious user to eavesdrop on another user's
confidential data.
Due to the relative difficulty in manufacturing the correct chain of events
to exploit this vulnerability, AusCERT regards this as a low risk.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS99-053.asp
and the patch can be found at:
x86:
http://www.microsoft.com/downloads/release.asp?ReleaseID=16186
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=16187
- --------
MS99-061 - Patch Available for "Escape Character Parsing" Vulnerability
- --------
This vulnerability allows a malicious web visitor to specify a file,
protected by a third party application, in such a way as to avoid that
application's permissions checking. Windows' own permissions can not be
circumvented in this way.
AusCERT considers this to be low risk, unless the victim is using such
a third party application. Any program that takes web data and directly
compares it to an access control list may be affected by this vulnerability.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS99-061.asp
and the patch can be found at:
x86:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16357
Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16358
- --------
MS00-025 - Procedure Available to Eliminate "Link View Server-Side Component"
Vulnerability
- --------
This vulnerability can allow a malicious remote user to crash the web server,
causing a denial of service, or to execute arbitrary commands with System
permissions. This may lead to an Administrator compromise. The vulnerability
can be avoided by setting correct permissions on a DLL file.
Although this vulnerability can lead to an Administrator-level compromise,
AusCERT cosiders this to be a low risk vulnerability due to the fact that the
permissions for the DLL file should be set by default to not allow
unpriviledged users.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-.asp
and the procedure to correct the vulnerability can be found at:
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
2. IIS 5.0 Running on Windows 2000 SP1
2.1 'High Risk' Vulnerabilities
These vulnerabilities are considered high risk due to one or more of the
following:
+ their potential damage
+ the lack of restrictions for use
+ recent or significant activity reported to AusCERT
- --------
MS01-023 - Unchecked Buffer in ISAPI Extension Could Enable Compromise of
IIS 5.0 Server
- --------
This vulnerability can allow a malicious web visitor to execute arbitrary code
on the web server in Local System context. This can lead to an Administrator
compromise.
Due to the ease of use and dangerous potential of this vulnerability, AusCERT
considers this a high risk vulnerability.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
and the patch can be found at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
2.2 'Low Risk' Vulnerabilities
These vulnerabilities are considered low risk due to one or more of the
following:
+ many mitigating factors
+ unusual circumstances in which the vulnerability can be exploited
+ required knowledge of internal information
- --------
MS01-014 - Malformed URL can Cause Service Failure in IIS 5.0 and Exchange 2000
- --------
This vulnerability can enable a malicious web visitor to cause the web server
to fail. Both IIS and Microsoft Exchange 2000 are affected by this, although
in both cases it is IIS that fails.
Since the services that fail restart automatically almost immediately,
AusCERT considers this a low risk.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-014.asp
and the patch can be found at:
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28155
Exchange 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28369
- --------
MS01-016 - Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources
- --------
This vulnerability can allow a malicious web visitor to consume CPU cycles
on the web server. Normal CPU use is returned once the server completes
parsing of the malformed request.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
and the patch can be found at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28564
3. Vulnerabilities Common to Both ISS 4.0 and IIS 5.0
3.1 'High Risk' Vulnerabilities
These vulnerabilities are considered high risk due to one or more of the
following:
+ their potential damage
+ the lack of restrictions for use
+ recent or significant activity reported to AusCERT
- --------
MS00-030 - Patch Available for "Malformed Extension Data in URL" Vulnerability
- --------
This vulnerability can cause a malicious web visitor to slow or temporarily
stop the web server.
Due to the simplicity of the potential attack, AusCERT considers this to be a
high risk.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-030.asp
and the patch can be found at:
IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20906
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20904
- --------
MS00-078 - Patch Available for "Web Server Folder Traversal" Vulnerability
MS00-086 - Patch Available for "Web Server File Request Parsing" Vulnerability
- --------
This vulnerability can allow a malicious remote user to execute arbitrary
commands on the web server, but only with the permissions of the server
process (usually the permissions available to the IUSR_machinename account).
This particular exploit is simple to accomplish, and has been used commonly
as a simple web site defacement method.
AusCERT considers this to be a high risk as we have seen significant activity
using this vulnerability.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
http://www.microsoft.com/technet/security/bulletin/MS00-086.asp
and the patch can be found at:
IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547
Note that the IIS 5.0 patch in MS00-078 may cause a regression error - the
patches listed in MS00-086 should be installed rather than those in MS00-078.
3.2 'Medium Risk' Vulnerabilities
These vulnerabilities are considered medium risk due to one or more of the
following:
+ mitigating factors
+ external requirements for exploitation
+ lack of activity reported to AusCERT
- --------
MS00-023 - Patch Available for "Myriad Escaped Characters" Vulnerability
- --------
This vulnerability can cause the web server to monopolise CPU cycles while
parsing malformed requests. This effect only lasts as long as the server is
parsing the request.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-023.asp
and the patch can be found at:
IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286
- --------
MS00-031 - Patch Available for "Undelimited .HTR Request" and "File
Fragment Reading via .HTR" Vulnerabilities
MS00-044 - Patch Available for "Absent Directory Browser Argument"
Vulnerability
MS01-004 - Malformed .HTR Request Allows Reading of File Fragments
- --------
These vulnerabilities may allow a malicious web visitor to either perform a
denial of service attack on the web server or to retrieve parts of normally
unreadable files from the server.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-004.asp
and the patch can be found at:
IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27492
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27491
- --------
MS00-060 - Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
MS00-084 - Patch Available for "Indexing Services Cross Site Scripting"
Vulnerability
- --------
This vulnerability can enable a malicious web site to run a script with the
appearance of being a third party's site. Bulletin MS00-084 contains an
updated patch for IIS 5.0.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-060.asp
http://www.microsoft.com/technet/security/bulletin/MS00-084.asp
and the patch can be found at:
IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25517
- --------
MS00-100 - Patch Available for "Malformed Web Form Submission" Vulnerability
- --------
This vulnerability can enable a malicious web visitor to cause the web server
to fail. In the case of IIS 4.0, the service would have to be restarted -
IIS 5.0 should automatically restart immediately. Any connections active at
the time of the fail will be lost.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-100.asp
and the patch can be found at:
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277
IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704
3.3 'Low Risk' Vulnerabilities
These vulnerabilities are considered low risk due to one or more of the
following:
+ many mitigating factors
+ unusual circumstances in which the vulnerability can be exploited
+ required knowledge of internal information
- --------
MS00-019 - Patch Available for "Virtualized UNC Share" Vulnerability
- --------
This vulnerability can cause the web server to send the contents of certain
files, including the source code of CGI scripts, to a malicious web visitor.
Due to the relative difficulty in exploiting this vulnerability, AusCERT
considers it to be low risk.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-019.asp
and the patch can be found at:
IIS 4.0 (x86):
http://www.microsoft.com/downloads/release.asp?ReleaseID=18900
IIS 4.0 (Alpha):
http://www.microsoft.com/downloads/release.asp?ReleaseID=18901
IIS 5.0 (x86):
http://www.microsoft.com/downloads/release.asp?ReleaseID=19982
- --------
MS00-057 - Patch Available for "File Permission Canonicalization" Vulnerability
- --------
This vulnerability can allow certain files (CGI scripts included) to be
accessed with higher-than-normal permissions by a malicious web visitor.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-057.asp
and the patch can be found at:
IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23665
- --------
MS00-080 - Patch Available for "Session ID Cookie Marking" Vulnerability
- --------
This vulnerability could allow a malicious user to eavesdrop on a secure
session ID cookie being passed as plain text across the Internet.
AusCERT considers this to be a low risk, as it is difficult to exploit.
The latest version of this security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-080.asp
and the patch can be found at:
IIS 4.0 (x86):
http://www.microsoft.com/ntserver/nts/downloads/critical/q274149
IIS 4.0 (Alpha):
http://support.microsoft.com/directory
IIS 5.0:
http://www.microsoft.com/Windows2000/downloads/critical/q274149
4. Microsoft Checklists and Tools
Microsoft has made several checklists and security tools available. They can
be found at:
Secure IIS 5 Checklist
http://www.microsoft.com/technet/security/iis5chk.asp
IIS 4.0 Security Checklist
http://www.microsoft.com/technet/security/iischk.asp
Hotfix Checking Tool for IIS 5.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
Security Planning Tool for IIS
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24973
General Tools and Checklists page
http://www.microsoft.com/technet/security/tools.asp
AusCERT also has some checklists and security documents available. They can
be found at:
Windows NT Configuration Guidelines
http://www.auscert.org.au/Information/Auscert_info/Papers/win_configuration_guidelines.html
Windows NT Security and Configuration Resources
http://www.auscert.org.au/Information/Auscert_info/Papers/win_resources.html
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
Advisory Created 11/05/2001
Advisory Released 14/05/2001
Advisory Revised 16/05/2001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOzMr+Sh9+71yA2DNAQFO8QP8C9CYa9J3qRgInJVAYZIIHYjrs9mpmbPz
dO0TFYfzJINQfKorTAfp0WXHHe/zpSiy2HfnA1eO40/sZW5aR8nL0bG2OzvBkJR0
bxM8J7XP2rH3/+2Q+dzpdoJxo6KCFGVUUQfC/jmbUt3Qm4u56q59s8B72Atc556v
C02wdLQolR8=
=E0BN
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
