Cumulative Patch for Internet Information Service New

Microsoft has released a cumlative patch for Microsoft Internet Information Services which resolves four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges.

Issue

This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled “Additional information about this patch”. Before applying the patch, system administrators should take note of the caveats discussed in the same section.

In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1:

• A privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to run them out of process. By design, the hosting process (dllhost.exe) should run only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise.
• A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a particular way, IIS would allocate an extremely large amount of memory on the server. By sending several such requests, an attacker could cause the server to fail.
• A vulnerability involving the operation of the script source access permission in IIS 5.0. This permission operates in addition to the normal read/write permissions for a virtual directory, and regulates whether scripts, .ASP files and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types subject to this permission has the effect of omitting .COM files from the list of files subject to the permission. As a result, a user would need only write access to upload such a file.
• A pair of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site’s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker’s.

In addition, the patch causes 5.0 and 5.1 to change how frequently the socket backlog list – which, when all connections on a server are allocated, holds the list of pending connection requests – is purged. The patch changes IIS to purge the list more frequently in order to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0.

Affected Products

• Microsoft Internet Information Server 4.0
• Microsoft Internet Information Services 5.0
• Microsoft Internet Information Services 5.1

Download

Software patches are available from the following locations:

• Microsoft Internet Information Server 4.0
• Microsoft Internet Information Services 5.0
• Microsoft Internet Information Services 5.1 (32-bit)
• Microsoft Internet Information Services 5.1 (64-bit)

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: November 1, 2002

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<