PC Tools - Essential tools for your PC
Search
 
 
Features
 
 
Newsletter
Receive regular Windows® updates
Your privacy is ensured by our privacy policy
 
Security Home > Internet Services

Cumulative Patch for Internet Information Service New

Microsoft has released a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 since Windows 2000 Service Pack 2 and IIS 5.1.

Issue

In addition to all previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and 5.1:

  • A Cross-Site Scripting (CSS) vulnerability affecting IIS 4.0, 5.0 and 5.1 involving the error message that's returned to advise that a requested URL has been redirected. An attacker who was able to lure a user into clicking a link on his or her web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site’s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker's.

  • A buffer overrun that results because IIS 5.0 does not correctly validate requests for certain types of web pages known as server side includes. An attacker would need the ability to upload a Server-side include page to a vulnerable IIS server. If the attacker then requested this page, a buffer overrun could result, which would allow the attacker to execute code of their choice on the server with system-level permissions.

  • A denial of service vulnerability that results because of a flaw in the way IIS 4.0 and 5.0 allocate memory requests when constructing headers to be returned to a web client. An attacker would need the ability to upload an ASP page to a vulnerable IIS server. This ASP page, when called by the attacker, would attempt to return an extremely large header to the calling web client. Because IIS does not limit the amount of memory that can be used in this case, this could case IIS to fail as a result of running out of local memory.

  • A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly handle an error condition when an overly long WebDAV request is passed to them. As a result an attacker could cause IIS to fail – however both IIS 5.0 and 5.1 will by default restart immediately after this failure.

    Affected Products

    • Microsoft Internet Information Server 4.0
    • Microsoft Internet Information Services 5.0
    • Microsoft Internet Information Services 5.1

    Download

    Software patches are available from the following locations:

    Further Details

    Source: Microsoft Corporation

    Reference: Microsoft Corporation

    Updated: May 30, 2003

    >> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<

    		•
    More Guides » Registry Guide Support Forums Software Guide Scripting Guide Driver Guide Search
     
    HomeDownloadPurchaseSupportPartnersCompanyContact
      Copyright © 1998-2008 PC Tools. All rights Reserved. Privacy Policy | Legal Notice 


    Are you looking for Mac security software?
    PC Tools now offers iAntiVirus, a free antivirus product for Mac OS X. Please click below to learn more.

    Tell me more No, thanks

    Remember my answer