Code Red Reveals New Security Hole in IIS

As the Code Red II worm spread across the Internet last week, users reported that their Web systems were suffering Denial of Service (DoS) attacks--even after they had installed the IIS patch Microsoft recommends in bulletin MS01-033.

Careful examination of Web logs revealed that the DoS attacks were related to the IIS URL-redirection feature that lets users direct a URL to another site on a different server. The Code Red II worm tries to infect a server by sending a malformed URL that contains a specialized character string. When IIS encounters this malformed URL during the URL redirection, the FTP, Web, proxy, and other IIS-related services stop responding.

Users notified Microsoft about the problem, and the company posted a message on its Web site last week. According to the message, the patch associated with bulletin MS01-033 is unrelated to the DoS attacks. Microsoft says that the Code Red II worm generates a particular malformed request that causes IIS services to stop. The company is working on a hotfix to correct the problem and says the problem doesn't affect Internet Information Services (IIS) 5.0--only Internet Information Server 4.0 configured to perform URL redirection.