IIS Security Rollup; TCP/IP, FRS, and Fax Service Fixes

IIS Security Rollup for XP, Win2K, and NT
Microsoft released an extensive security rollup for Microsoft Internet Information Services versions 5.1 (Windows XP) and 5.0 (Windows 2000) and Internet Information Server 4.0 (NT) on April 9. The update contains code fixes for eight new vulnerabilities, including three buffer overruns, one access violation, one potential Denial of Service (DoS) attack, and three cross-scripting issues, as well as all previously released IIS security patches. You can read a detailed description of each vulnerability and its potential effects (severity level) in Security Bulletin MS02-018, "Patch Available for Cross-Site Scripting in IIS Help File Search Facility Vulnerability."

Visit the following links to download the update specific to your OS:
XP systems running IIS 5.1
Win2K systems running IIS 5.0
NT systems running IIS 4.0

All three download files follow the hotfix naming convention q319733_<OS>_sp3_x86_en.exe. The Win2K download expands 102 files with a size of 13MB, including an updated sp3.cat catalog file that contains signatures and version numbers for the replacement code packaged in the rollup.

The rollup uses the standard hotfix installer (hotfix.exe) that accepts command-line options that let you control how the installer operates. You might want to rename the download file to something shorter, such as Q319733, which takes less typing to query the hotfix installer options at a command prompt (e.g., Q319733 /?) or to run the installer with the options you need. The most popular options are

  • -x to extract, but not install, the files
  • -q to install the update in quiet mode (when you install using a batch file)
  • -l to list all currently installed hotfixes
  • -u to install the hotfix in unattended mode
  • -z to suppress the automatic reboot (when you install using a batch file)

Microsoft recommends you backup the IIS metabase before you apply the rollup. You'll find links to instructions for backing up the database in Microsoft article "MS02-018: April 2002 Cumulative Patch for Internet Information Services." The documentation states that you can perform the installation on a running system without a reboot. The installer stops all IIS services, applies patches, and restarts the services. If, for some reason, the installer prompts you to restart the system, just say no! As an alternative, you can use the –z option, which suppresses the automatic reboot when you apply the hotfix.

TCP/IP Blue Screen
If you manage Web, email, or Internet Security and Acceleration (ISA) servers that consistently sustain high TCP/IP data rates, a bug in how the TCP/IP module performs under stress can cause the server to crash. The data rate that produces this rare failure can be reached only on a network that connects systems with Gigabit network adapters; this failure is highly unlikely on the more common 10/100Mbps Ethernet systems. You can eliminate the problem by installing the newest version of tcpip.sys. Microsoft released the update on February 26, and you must obtain the update directly from Microsoft support. For more information about this problem, see the Microsoft article "Problems with Very High Data Rates Over TCP/IP with Windows 2000."

FRS Memory Leak
Windows 2000 domain controllers (DCs) and servers use File Replication Service (FRS) to replicate system policy and logon scripts and to replicate content between systems hosting the same DFS roots. In February, I described the FRS Post-Service Pack 2 (SP2) update that improves FRS performance and eliminates multiple problems. If you haven’t installed this update, and you manage a large network with 40 or more DCs, you need to install this update to eliminate a newly discovered FRS memory leak.

A bug in the SP2 version of FRS causes all the DCs to leak memory in the ntfrs.exe process. The leak is related to the number of replicating DCs, so the more DCs, the greater the memory leak. A logic error in FRS causes the component to create new objects, instead of reusing existing objects. When FRS creates new objects, the service doesn't release the existing objects, which remain in memory. Over time, the private byte memory leak can slow system performance. The reference article states that this problem also surfaces if you significantly shorten the polling interval DFS uses to detect and propagate directory tree and file system changes. You can release the allocated, but unused memory, by periodically restarting the FRS service on affected DCs. To eliminate the problem, call Microsoft Support and ask for the FRS Post-SP2 hotfix. See my column "New Multiprocessor Issues; More Desktop Shortcuts," for more information about the extensive FRS improvements in this hotfix. For more information about this problem, see Microsoft article "FRS Service Leaks a Large Amount of Private Bytes in a Network with a Large Number of Domain Controllers."

Fax Service Access Violation
A coding error in handling long printer names can cause a fax service buffer overrun that might cause the Spooler service to generate an access violation, especially on systems running Windows 2000 Terminal Services. You can eliminate the Spooler failure by installing the newest version of Win2K fax code, which is available only from Microsoft Support. Microsoft released the update on March 21; it contains new versions of two files: the fax driver faxdrv.sys and the user interface module faxui.dll. For more information, see Microsoft article "Fax Driver Causes Problems with the Spooler Service."

Disabling Automatic Shortcut Repairs
When you relocate or remove the executable to which a shortcut points, Windows XP and Windows 2000 automatically attempt to resolve the shortcut. On a system with large capacity disks or on a system that contains shortcuts that point to network drives, you can wait a long time for the system to locate the shortcut's object or to report that the file or executable is no longer available. If you prefer to correct your own shortcut link problems, you can disable this function with an Active Directory (AD) policy change or a local registry edit. To deploy this change with Group Policy, open Group Policy Editor (GPE), navigate to User Configuration\AdministrativeTemplates\Start Menu and enable the "Do not use the tracking-based method when resolving shell shortcuts" option. To disable link tracking on a specific machine, open a registry editor, go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer subkey, and add the value entry NoResolveTrack:REG_DWORD:1. For details, see the Microsoft article "HOW TO: Disable the NTFS File System Tracking of Broken Shortcut Links."

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.