News

Microsoft Releases Patch for Security Vulnerability

Microsoft has released a patch to fight what it deems an “extremely serious vulnerability” in IIS 5.0, its most recent Web server.

Microsoft has released a patch to fight what it deems an “extremely serious vulnerability” in IIS 5.0, its most recent Web server. The vulnerability, if properly exploited, could give an attacker complete control of a server. The attacker, with control, could modify or destroy files and programs and potentially the server itself. IIS 4.0 Web servers aren’t affected.

It takes the form of a buffer-overrun weakness. According to Microsoft, the vulnerability results because the Internet Printing ISAPI extension in Windows 2000 contains an unchecked buffer. By sending a specially constructed request to the extension, an attacker could cause code to run in the Local System context.

The attacker could exploit the vulnerability against any server with which he or she could conduct a Web session. No other services need to be available, and only port 80 (HTTP) or 443 (HTTPS) has to be open.

Find the patch at www.microsoft.com/Downloads/Release.asp?ReleaseID=29321. Microsoft recommends that administrators take immediate action to avoid this potential disaster.

The following are security updates for Internet Explorer 5.01/5.5, Internet Information Services 5.0 and Windows NT 4.0/2000:

  • Internet Explorer Can Divulge Location of Cached Content—A vulnerability exists that lets a Web page or HTML e-mail be used to ascertain the physical location of cached content in Internet Explorer 5.01/5.5. An attacker exploiting this vulnerability can open the cache, launch .chm files that contain shortcuts to executables, and then run the executables. For the patch that’ll eliminate this vulnerability, go to www.microsoft.com/technet/security/bulletin/MS01-015.asp.
  • Malformed WebDAV Request Can Cause Internet Information Services 5.0 To Exhaust CPU Resources—WebDAV is an extension of the HTTP protocol that allows remote authoring and management of Web content. But a flaw exists in the way WebDAV handles a certain type of malformed request. If a stream of such requests is directed at a server running Internet Information Services 5.0, it can consume all of that server’s CPU availability. For the patch that’ll eliminate this vulnerability, go to www.microsoft.com/technet/security/bulletin/MS01-016.asp.
  • Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard—In late January, an individual fraudulently claiming to be a Microsoft employee applied for and received two VeriSign Class 3 code-signing digital certificates. These certificates can be used to make it appear that certain programs, ActiveX controls, Office macros and other executable content come from Microsoft, when in fact they don’t. For more information on this issue, go to www.microsoft.com/technet/security/bulletin/MS01-017.asp.

Microsoft, Redmond, Washington, www.microsoft.com.

Featured

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.