Microsoft Issues Another Cumulative IIS Patch
Microsoft bundled five newly discovered IIS vulnerabilities into a
cumulative patch, posted Wednesday, that rolls together all the fixes
the Web server.
Microsoft Corp. bundled five newly discovered IIS vulnerabilities into
cumulative patch, posted Wednesday night, that rolls together all the
for the Web server.
The beleaguered Internet Information Server/Services software has
the source of negative publicity for Microsoft lately due to its role
vector for the Code Red worm. The new security rollup includes the
Code Red, but was created primarily to address other
It is also the second time this year that Microsoft has rolled
fixes together for IIS. Redmond issued a similar security roundup
in May. A security rollup was also released for Windows NT 4.0 a few
ago in lieu of the cancelled Service Pack 7.
In its bulletin announcing the
IIS security patch, Microsoft confirmed the existence of five IIS
vulnerabilities which can be exploited by means of denial-of-service
buffer overrun or privilege-elevation attacks.
A message from Russ Cooper, moderator of the NTBugTraq Mailing
reflected a "here we go again" attitude about the state of IIS
"I understand that you've probably just finished ensuring that all
your IIS servers have had MS01-033 [the Code Red patch] applied. Maybe
even went so far as to apply MS01-026 (the last IIS cumulative patch),"
"I'm loath to ask you to now go back to all of these machines and
yet another patch, however...there are several circumstances that may
to your systems that might make it necessary for you to get this new
Security Bulletin patch applied quickly," Cooper wrote. Users should
consider the patch immediately if they run Web hosting environments,
IIS authoring or do URL redirects from an IIS 4.0 box, according to
Possible attack scenarios include:
A DoS attack that exploits a flaw in IIS 4.0's Web site
redirection capabilities and which can cause an IIS server to stop
responding to HTTP requests. According to Microsoft, the notorious Code
worm generates traffic that in some cases is capable of exploiting this
In the aftermath of the Code Red worm, a number of administrators
messages to Microsoft's IIS newsgroup (microsoft.public.inetserver.iis
which they complained that even though their IIS 4.0 servers weren't
supposed to be susceptible to Code Red, they were nonetheless crashing
result of the extremely high network traffic generated by other
A DoS attack that exploits a flaw in Microsoft's
Web Distributed Authoring and Versioning (WebDAV), a set of
HTTP that facilitates Web-based document management capabilities.
According to Microsoft, its WebDAV implementation doesn't correctly
process a particular type of malformed request. If an attacker submits
malformed request of this kind to an IIS 5.0 Web server, she could
5.0 services to crash. Microsoft says that a DoS interruption would
temporary, however, because IIS 5.0 services automatically restart in
event of a failure.
A DoS attack that exploits a vulnerability associated with
in which IIS 5.0 interprets Multipurpose Internet Mail Extensions
Microsoft says that when an attacker places content containing a
(particular kind of an) invalid MIME header onto a server and
requests it, a spurious entry is created in the Web site's File Type
DoS occurs because IIS 5.0 is unable to serve any additional content
the spurious File Type table entry is removed.
A buffer overrun attack that exploits a vulnerability
with the code that IIS uses to process server-side include (SSI)
According to Microsoft, if an attacker can place a file directly
server, she can also include a malformed SSI directive that - once it's
processed - will enable her to execute code of her choice on a
Windows NT 4.0 or Windows 2000 server in Local System context.
says that an attacker doesn't actually have to request a file which
a malformed SSI directive to perpetrate an exploit of this type: Any
for such a file, initiated by an attacker or by an unsuspecting user,
trigger the exploit.
Local system context is the highest security context on a Windows NT
Windows 2000 system. An attacker who successfully exploited a
of this type would have complete control over a compromised system.
A privilege elevation vulnerability that results because of a
in the way that IIS determines whether a process should in-process or
out-of-process. Microsoft says that IIS 5.0 uses a table which lists
system files that should always run in-process. Because this table
both absolute addressing (in which a specific path to an executable is
specified) as well as relative addressing (in which only the name of an
executable is specified), however, it's possible for an attacker to
malicious program, rename it after the fashion of an in-process
and execute it with System Level privileges on a server.
An attacker who perpetrates an exploit of this type could take
control of a compromised system.
The software giant says that by default, unprivileged users don't
the ability to install or upload content to a server, so only
users are capable of successfully exploiting the last three
Although the latest batch of IIS patches is cumulative, at least
4.0 vulnerabilities that require administrative action rather than
patching aren't included in the latest hotfix roll-up. Microsoft also
that fixes for non-IIS-related vulnerabilities - including those
with Front Page Server Extensions and the Index Server/Indexing Service
aren't integrated into the latest hotfix roll-up, either.
But the software giant confirms that the new hotfix roll-ups
support for the Indexing Service/Index Server vulnerability that served
the basis for the recent spate of Code Red attacks.
There are two versions of the new patch. A version for Internet
Information Services 5.0 includes all security patches issued so far
5.0, which is part of Windows 2000. Another version for Internet
Server 4.0 rolls together all the security fixes for IIS 4.0 since
NT 4.0 Service Pack 5.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.