News

Microsoft Releases Patch for Security Vulnerability

Microsoft has released a patch to fight what it deems an “extremely serious vulnerability” in IIS 5.0, its most recent Web server.

Microsoft has released a patch to fight what it deems an “extremely serious vulnerability” in IIS 5.0, its most recent Web server. The vulnerability, if properly exploited, could give an attacker complete control of a server. The attacker, with control, could modify or destroy files and programs and potentially the server itself. IIS 4.0 Web servers aren’t affected.

It takes the form of a buffer-overrun weakness. According to Microsoft, the vulnerability results because the Internet Printing ISAPI extension in Windows 2000 contains an unchecked buffer. By sending a specially constructed request to the extension, an attacker could cause code to run in the Local System context.

The attacker could exploit the vulnerability against any server with which he or she could conduct a Web session. No other services need to be available, and only port 80 (HTTP) or 443 (HTTPS) has to be open.

Find the patch at www.microsoft.com/Downloads/Release.asp?ReleaseID=29321. Microsoft recommends that administrators take immediate action to avoid this potential disaster.

The following are security updates for Internet Explorer 5.01/5.5, Internet Information Services 5.0 and Windows NT 4.0/2000:

  • Internet Explorer Can Divulge Location of Cached Content—A vulnerability exists that lets a Web page or HTML e-mail be used to ascertain the physical location of cached content in Internet Explorer 5.01/5.5. An attacker exploiting this vulnerability can open the cache, launch .chm files that contain shortcuts to executables, and then run the executables. For the patch that’ll eliminate this vulnerability, go to www.microsoft.com/technet/security/bulletin/MS01-015.asp.
  • Malformed WebDAV Request Can Cause Internet Information Services 5.0 To Exhaust CPU Resources—WebDAV is an extension of the HTTP protocol that allows remote authoring and management of Web content. But a flaw exists in the way WebDAV handles a certain type of malformed request. If a stream of such requests is directed at a server running Internet Information Services 5.0, it can consume all of that server’s CPU availability. For the patch that’ll eliminate this vulnerability, go to www.microsoft.com/technet/security/bulletin/MS01-016.asp.
  • Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard—In late January, an individual fraudulently claiming to be a Microsoft employee applied for and received two VeriSign Class 3 code-signing digital certificates. These certificates can be used to make it appear that certain programs, ActiveX controls, Office macros and other executable content come from Microsoft, when in fact they don’t. For more information on this issue, go to www.microsoft.com/technet/security/bulletin/MS01-017.asp.

Microsoft, Redmond, Washington, www.microsoft.com.

Featured

  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.