Reported March 1, 2001, by Microsoft.
VERSIONS AFFECTED
- Microsoft IIS Server 5.0
- Microsoft Exchange 2000 Server
DESCRIPTION
IIS 5.0 and Exchange 2000 servers both contain a
flaw that might result in a Denial of Dervice (DoS). By repeatedly sending a URL
of a specific construction, a malicious user can cause a memory allocation error
resulting in the failure of the IIS service. The Messaging API (MAPI)-based mail
clients under Exchange 2000 are not affected, but the IIS service failure can
temporarily disrupt the Web-based mail clients until the automatic restart of
the affected services. The flaw exists in both the code module of IIS and
Exchange 2000. For this reason, Exchange 2000 administrators should apply both
available patches that address this vulnerability.
This particular vulnerability does not let the attacker gain administrative control or alter any data on the server. A properly configured Exchange 2000 server would be less at risk than an IIS server due to the Internet Server API (ISAPI) involved in authenticating the user prior to servicing the request.
VENDOR RESPONSE
Microsoft has issued security bulletin MS01-014 to address this vulnerability.
CREDITDiscovered by Kevin Kotas of eSecurityOnline.com .