The Newest IIS Security Rollup

After engaging in numerous real-time cyber–sword fights against malicious intruders for weeks, I am particularly sensitive to Microsoft IIS security hotfixes these days. Although I don't yet have all the data I need to do a technically correct forensic analysis of the break-in I'm researching, it appears that intruders used a Trojan Horse to hijack the Web server for nefarious purposes. My top candidates for the hijacker activity include pushing spam files or stolen software through the Internet. The hijacking ended with a firewall that's now dead and refuses to boot.

I strongly encourage you to update all your Internet Information Services (IIS) 5.1, IIS 5.0, and Internet Information Server (IIS) 4.0 Web servers with the latest IIS security rollup, which you can learn about in the Microsoft article "MS03-018: May 2003 Cumulative Patch for Internet Information Services (IIS)" ( ). The article contains download links for all affected IIS versions.

In the never-ending battle between developers and crackers, the latest IIS security rollup closes four new vulnerabilities, including a cross-scripting security problem, a buffer overflow, and two forms of Denial of Service (DoS) attacks. Although none of the fixes are rated critical, keeping your IIS servers patched and current is important. Failure to do so opens the door to more sophisticated exploits that leverage the same flaws in the future. The rollup does the following:

-- Eliminates a cross-site scripting vulnerability that lets an IIS server redirect an Active Server Pages (ASP) script meant for server A to an alternate IIS server, server B. Server B responds to the client request, and the redirected script executes using the security settings on server B rather than the settings on server A. If server B is less secure, the script runs with elevated privileges.

-- Eliminates a buffer overflow that occurs in Windows 2000 IIS servers because that version doesn't correctly validate requests for server-side include files. A malicious user can leverage this flaw by uploading a script that generates the buffer overflow to the unsecured server. After the buffer overflow occurs, the malicious user can run code with unrestricted access in the system's security context.

-- Eliminates a DoS vulnerability in Win2K and Windows NT IIS servers that occurs because IIS doesn't limit the amount of memory a script can allocate when creating the header for an HTTP response. To exploit this flaw, an attacker must first place a page with suitably programmed ASP script onto an unsecured server. If the script allocates a large enough block of memory, IIS dies.

-- Eliminates a second DoS vulnerability in Windows XP and Win2K IIS servers that occurs because of how IIS responds to errors when it processes a long WWW Distributed Authoring and Versioning (WebDAV) request. When an attacker exploits this flaw, IIS stops and immediately restarts. For servers that you've secured with the IIS Lockdown utility, Lockdown disables WebDAV authoring.

If you stay on top of security fixes, you no doubt have already used the identity spoofing hotfix in Microsoft Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing) to update client systems that run Microsoft Office. If you haven't installed the client certificate hotfix, you should do so before you install the IIS security rollup. The bulletin has download links for this identity spoofing update for a variety of clients, including XP, Win2K, Windows 9x, and Macintosh. If you don't update your clients and IIS requires certificates for authentication, IIS will reject the client certificates when they attempt to connect to the updated IIS server.

I also want to remind you to update Microsoft Internet Explorer (IE) on all your systems with the security rollup Microsoft released on April 24. If you don't install the rollup, a malicious user can exploit the latest batch of vulnerabilities from a Web site or an HTML-based email message to download and run code on unpatched systems. I describe the risks and provide the download links for all versions of IE in my May 27 Keeping Up with Win2K and NT column ( ).

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.