__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Cumulative Patch for Internet Information Service (IIS)
[Microsoft Security Bulletin MS03-018]
May 28, 2003 22:00 GMT Number N-098
______________________________________________________________________________
PROBLEM: There are four security vulnerabilities in IIS:
1) A Cross-Site Scripting (CSS) vulnerability involving the
error message that is returned to advise that a requested URL
has been redirected.
2) A buffer overrun that does not correctly validate requests
for certain types of web pages known as server side includes.
3) A denial of service vulnerability in the allocation of
memory requests when constructing headers to be returned to a
web client.
4) A denial of service vulnerability that does not correctly
handle an error condition when an overly long WebDAV request
is passed.
PLATFORM: * Microsoft Internet Information Server 4.0
* Microsoft Internet Information Services 5.0
* Microsoft Internet Information Services 5.1
DAMAGE: Unpatched systems are vulnerable to denial of service attacks.
The most serious of these vulnerabilities may allow an attacker
to execute code of their choice.
SOLUTION: Apply patch as described in Microsoft's security bulletin.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. The most serious vulnerability described in
ASSESSMENT: the buffer overrun, an attacker would need the ability to
upload a Server-side include page to a vulnerable IIS server.
If the attacker then requested this page, a buffer overrun
could result, which would allow the attacker to execute code of
their choice on the server.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-098.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/MS03-018.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-018 *****]
Microsoft Security Bulletin MS03-018
Cumulative Patch for Internet Information Service (811114)
Originally posted: May 28, 2003
Summary
Who should read this bulletin: Customers hosting web servers using Microsoft®
Windows NT® 4.0, Windows® 2000, or Windows® XP.
Impact of vulnerability: Allow an attacker to execute code of their choice
Maximum Severity Rating: Important
Recommendation: Customers hosting web servers using Microsoft® Windows NT® 4.0,
Windows® 2000, or Windows® XP should install the patch at the earliest
opportunity.
Affected Software:
* Microsoft Internet Information Server 4.0
* Microsoft Internet Information Services 5.0
* Microsoft Internet Information Services 5.1
Non Affected Software:
* Microsoft Internet Information Services 6.0
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-018.asp.
Technical details
Technical description:
This patch is a cumulative patch that includes the functionality of all security
patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security
patches released to date for IIS 5.0 since Windows 2000 Service Pack 2 and IIS 5.1.
A complete listing of the patches superseded by this patch is provided below, in
the section titled “Additional information about this patch”.
In addition to all previously released security patches, this patch also includes
fixes for the following newly discovered security vulnerabilities affecting IIS 4.0,
5.0 and 5.1:
* A Cross-Site Scripting (CSS) vulnerability affecting IIS 4.0, 5.0 and 5.1 involving
the error message that’s returned to advise that a requested URL has been redirected.
An attacker who was able to lure a user into clicking a link on his or her web site
could relay a request containing script to a third-party web site running IIS,
thereby causing the third-party site’s response (still including the script) to be
sent to the user. The script would then render using the security settings of the
third-party site rather than the attacker’s.
* A buffer overrun that results because IIS 5.0 does not correctly validate requests
for certain types of web pages known as server side includes. An attacker would need
the ability to upload a Server-side include page to a vulnerable IIS server. If the
attacker then requested this page, a buffer overrun could result, which would allow
the attacker to execute code of their choice on the server with user-level
permissions.
* A denial of service vulnerability that results because of a flaw in the way IIS 4.0
and 5.0 allocate memory requests when constructing headers to be returned to a web
client. An attacker would need the ability to upload an ASP page to a vulnerable IIS
server. This ASP page, when called by the attacker, would attempt to return an extremely
large header to the calling web client. Because IIS does not limit the amount of memory
that can be used in this case, this could case IIS to fail as a result of running out
of local memory.
* A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly
handle an error condition when an overly long WebDAV request is passed to them. As a
result an attacker could cause IIS to fail – however both IIS 5.0 and 5.1 will by
default restart immediately after this failure.
There is a dependency associated with this patch – it requires the patch from Microsoft
Security Bulletin MS02-050 to be installed. If this patch is installed and MS02-050 is
not present, client side certificates will be rejected. This functionality can be
restored by installing the MS02-050 patch.
Mitigating factors:
Redirection Cross Site Scripting:
* IIS 6.0 is not affected.
* The vulnerability could only be exploited if the attacker could entice another user
into visiting a web page and clicking a link on it, or opening an HTML mail.
* The target page must be an ASP page, which uses Response.Redirect to redirect the
client, to a new URL that is based on the incoming URL of current request.
Server Side Include Web Pages Buffer Overrun
* IIS 4.0, IIS 5.1 and IIS 6.0 are not affected.
* The IIS Lockdown tool by default disables the ssinc.dll mapping, which will block this
attack.
* By default IIS 5.0 runs under a user account and not the system account. Therefore an
attacker who successfully exploited the vulnerability would only gain user level
permissions rather than administrative level permissions.
* An attacker must have the ability to upload files to the IIS Server.
ASP Headers Denial of Service
* An attacker must have the ability to upload files to the IIS server.
* IIS 5.0 will automatically restart after failing.
* IIS 5.1 and IIS 6.0 are not affected.
WebDAV Denial of Service
* IIS 6.0 is not affected.
* IIS 5.0 and 5.1 will restart automatically after this failure.
* The IIS Lockdown tool disables WebDAV by default, which will block this attack.
Severity Rating:
Redirection Cross Site Scripting
IIS 4.0 Low
IIS 5.0 Low
IIS 5.1 Low
Server Side Include Web Pages Buffer Overrun
IIS 4.0 None
IIS 5.0 Moderate
IIS 5.1 None
ASP Headers Denial of Service
IIS 4.0 Moderate
IIS 5.0 Moderate
IIS 5.1 None
WebDAV Denial of Service
IIS 4.0 None
IIS 5.0 Important
IIS 5.1 Important
Aggregate Severity of all Vulnerabilities
IIS 4.0 Moderate
IIS 5.0 Important
IIS 5.1 Important
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them.
Vulnerability identifiers:
Redirection Cross Site Scripting CAN-2003-0223
Server Side Include Web Pages Buffer Overrun CAN-2003-0224
ASP Headers Denial of Service CAN-2003-0225
WebDAV Denial of Service CAN-2003-0226
Tested Versions:
Microsoft tested IIS 4.0, 5.0, 5.1 and 6.0 to assess whether they are affected by
these vulnerabilities. Previous versions are no longer supported, and may or may not
be affected by these vulnerabilities.
Patch availability
Download locations for this patch
Download locations for this patch
* IIS 4.0:
All
* IIS 5.0:
All
* IIS 5.1:
32-bit Edition
64-bit Edition
Additional information about this patch
Installation platforms:
* The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a.
* The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or
Service Pack 3.
* The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold
and Service Pack 1.
Inclusion in future service packs:
* No additional service packs are planned for Windows NT 4.0.
* The IIS 5.0 fixes will be included in Windows 2000 Service Pack 4.
* The IIS 5.1 fixes will be included in Windows XP Service Pack 2.
Reboot needed:
* IIS 4.0: A reboot can be avoid by stopping the IIS service, installing the patch with
the /z switch, then restarting the service. Knowledge Base article Q327696 provides
additional information on this procedure.
* IIS 5.0: In most cases, the patch does not require a reboot. The installer stops the
needed services, applies the patch, then restarts them. However, if the needed services
cannot be stopped for any reason, it will require a reboot. If this occurs, a prompt
will be displayed advising of the need to reboot.
* IIS 5.1: No. (In some cases, a pop-up dialogue may say that the system needs to be
rebooted in order for the patch installation process to be completed. This dialogue,
if it appears, can be ignored)
Patch can be uninstalled: Yes
Superseded patches:
This patch supersedes the ones provided in the following Microsoft Security Bulletins:
* MS02-062.
* MS02-028.
* MS02-018. (This is a cumulative patch, and supersedes additional patches)
Verifying patch installation:
IIS 4.0:
* To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811114.
* To verify the individual files, consult the file manifest in Knowledge Base
article 811114.
IIS 5.0:
* To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114.
* To verify the individual files, use the date/time and version information provided
in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114\Filelist.
IIS 5.1:
* To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114.
* To verify the individual files, use the date/time and version information provided
in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114\Filelist.
Caveats:
1. This patch requires the patch from Microsoft Security Bulletin MS02-050 to be
installed. If this IIS cumulative patch is installed and MS02-050 is not present,
client side certificates will be disabled. This functionality can be restored by
installing the MS02-050 patch either before or after installing the IIS Cumulative
patch.
2. The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in
the patch, because they require administrative action rather than a software change.
Administrators should ensure that in addition to applying this patch, they also have
taken the administrative action discussed in the following bulletins:
* Microsoft Security Bulletin MS00-028
* Microsoft Security Bulletin MS00-025
* Microsoft Security Bulletin MS99-025 (which discusses the same issue as
Microsoft Security Bulletin MS98-004)
* Microsoft Security Bulletin MS99-013
3. The patch does not include fixes for vulnerabilities involving non-IIS products
like Front Page Server Extensions and Index Server, even though these products are
closely associated with IIS and typically installed on IIS servers. At this writing,
the bulletins discussing these vulnerabilities are:
* Microsoft Security Bulletin MS02-053
* Microsoft Security Bulletin MS02-050
* Microsoft Security Bulletin MS01-043
* Microsoft Security Bulletin MS01-025
* Microsoft Security Bulletin MS00-084
* Microsoft Security Bulletin MS00-018
* Microsoft Security Bulletin MS00-006
There is, however, one exception. The fix for the vulnerability affecting Index
Server which is discussed in Microsoft Security Bulletin MS01-033 is included in
this patch. We have included it because of the seriousness of the issue for IIS
servers.
4. Customers using IIS 4.0 should ensure that they have followed the correct
installation order before installing this or any security patch. Specifically,
customers should ensure that Windows NT 4.0 Service Pack 6a has been applied
(or re-applied) after installing the IIS 4.0 service.
5. Customers using Site Server should be aware that a previously documented issue
involving intermittent authentication errors has been determined to affect this and
a small number of other patches. Microsoft Knowledge Base article Q317815 discusses
the issue and how resolve it.
Localization:
Localized versions of this patch are available at the locations discussed in
“Patch Availability”.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks the following for reporting these issues to us and working with
us to protect customers:
* SPIDynamics SPI Labs for reporting the Redirection Cross Site Scripting and WebDAV
Denial of Service vulnerabilities.
* NSFocus for reporting the Server Side Include Web Pages Buffer Overrun vulnerability.
Support:
* Microsoft Knowledge Base article 811114 discusses this issue. Knowledge Base articles
can be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either express
or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Microsoft Corporation or its suppliers
have been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 (May 28, 2003): Bulletin Created.
[***** End Microsoft Security Bulletin MS03-018 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-088: Hewlett-Packard rexec Command Security Vulnerability
N089: Red Hat MySQL Vulnerabilities
N-090: Red Hat mod_auth_any Vulnerabilities
N-091: Sun Cobalt PHP SafeMode Vulnerability
N-092: Microsoft Flaw in Windows Media Player Skins
N-093: Cisco VPN 3000 Concentrator Vulnerabilities
N-094: HP Potential Security Vulnerability in wall(1M)
N-095: Red Hat Multiple Vulnerabilities in KDE
N-096: Red Hat New Kernel Fixes Local Security Issues
N-097: Red Hat Updated Tcpdump Packages
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
