Microsoft Security Updates
IE 5, IIS 5.0, and Windows NT/2000 affected.
The following are security updates for
Internet Explorer 5.01/5.5, Internet Information
Services 5.0 and Windows NT 4.0/2000:
- Internet Explorer Can Divulge
Location of Cached Content—A vulnerability
exists that lets a Web page or HTML e-mail be
used to ascertain the physical location of cached
content in Internet Explorer 5.01/5.5. An attacker
exploiting this vulnerability can open the cache,
launch .chm files that contain shortcuts to
executables, and then run the executables. For
the patch that’ll eliminate this vulnerability,
go to www.microsoft.com/technet/security/bulletin/MS01-015.asp.
- Malformed WebDAV Request Can
Cause Internet Information Services 5.0 To Exhaust
CPU Resources—WebDAV is an extension of
the HTTP protocol that allows remote authoring
and management of Web content. But a flaw exists
in the way WebDAV handles a certain type of
malformed request. If a stream of such requests
is directed at a server running Internet Information
Services 5.0, it can consume all of that server’s
CPU availability. For the patch that’ll eliminate
this vulnerability, go to www.microsoft.com/technet/security/bulletin/MS01-016.asp.
- Erroneous VeriSign-Issued
Digital Certificates Pose Spoofing Hazard—In
late January, an individual fraudulently claiming
to be a Microsoft employee applied for and received
two VeriSign Class 3 code-signing digital certificates.
These certificates can be used to make it appear
that certain programs, ActiveX controls, Office
macros and other executable content come from
Microsoft, when in fact they don’t. For more
information on this issue, go to www.microsoft.com/technet/security/bulletin/MS01-017.asp.
Microsoft, Redmond, Washington, www.microsoft.com.