News

Microsoft Releases Patch for Security Vulnerability

Microsoft has released a patch to fight what it deems an “extremely serious vulnerability” in IIS 5.0, its most recent Web server.

Microsoft has released a patch to fight what it deems an “extremely serious vulnerability” in IIS 5.0, its most recent Web server. The vulnerability, if properly exploited, could give an attacker complete control of a server. The attacker, with control, could modify or destroy files and programs and potentially the server itself. IIS 4.0 Web servers aren’t affected.

It takes the form of a buffer-overrun weakness. According to Microsoft, the vulnerability results because the Internet Printing ISAPI extension in Windows 2000 contains an unchecked buffer. By sending a specially constructed request to the extension, an attacker could cause code to run in the Local System context.

The attacker could exploit the vulnerability against any server with which he or she could conduct a Web session. No other services need to be available, and only port 80 (HTTP) or 443 (HTTPS) has to be open.

Find the patch at www.microsoft.com/Downloads/Release.asp?ReleaseID=29321. Microsoft recommends that administrators take immediate action to avoid this potential disaster.

The following are security updates for Internet Explorer 5.01/5.5, Internet Information Services 5.0 and Windows NT 4.0/2000:

  • Internet Explorer Can Divulge Location of Cached Content—A vulnerability exists that lets a Web page or HTML e-mail be used to ascertain the physical location of cached content in Internet Explorer 5.01/5.5. An attacker exploiting this vulnerability can open the cache, launch .chm files that contain shortcuts to executables, and then run the executables. For the patch that’ll eliminate this vulnerability, go to www.microsoft.com/technet/security/bulletin/MS01-015.asp.
  • Malformed WebDAV Request Can Cause Internet Information Services 5.0 To Exhaust CPU Resources—WebDAV is an extension of the HTTP protocol that allows remote authoring and management of Web content. But a flaw exists in the way WebDAV handles a certain type of malformed request. If a stream of such requests is directed at a server running Internet Information Services 5.0, it can consume all of that server’s CPU availability. For the patch that’ll eliminate this vulnerability, go to www.microsoft.com/technet/security/bulletin/MS01-016.asp.
  • Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard—In late January, an individual fraudulently claiming to be a Microsoft employee applied for and received two VeriSign Class 3 code-signing digital certificates. These certificates can be used to make it appear that certain programs, ActiveX controls, Office macros and other executable content come from Microsoft, when in fact they don’t. For more information on this issue, go to www.microsoft.com/technet/security/bulletin/MS01-017.asp.

Microsoft, Redmond, Washington, www.microsoft.com.

comments powered by Disqus
Most   Popular