IIS / ASP / MTS Vulnerabilities

Internet Information Server, Active Server Pages,
and Microsoft Transaction Server Vulnerabilities

Reported December 12, 1997 by Microsoft

Systems Affected

Any systems using IIS with Active Server Pages, and MS Transaction Server


Paraphrased from Knowledge Base article Q147222:

IIS/ASP Security Context Becomes Corrupt Under Stress

Microsoft says that under stress, a script that is supposed to run under the security context of a specific user may wind up running under the context of the built-in SYSTEM account instead. As you may know, the SYSTEM account is all-powerful, and as such, this behavior is undesirable.

Microsoft points out running programs under the wrong security context may result in incorrect file access, incorrect component availability, and incorrect component capabilities. E.G. You"re at the mercy of the attacker.

Potential Security Hole With Out-of-Process Applications

If there are out-of-process Transaction Server packages using role-based security, it is possible for someone who has access to the computer to spoof the identity that the MTS package believes is calling the package. A fix is available for the problem. A side effect of this fix is that all out-of-process components configured to "Activate as Activator" will now run under the context of the built-in SYSTEM account, where formerly they would run under a non-deterministic user context.

Microsoft"s Response:

The hotfix is located here.

To learn more about new NT security concerns, subscribe to NTSD.

Reported by: Microsoft
Posted here at NTSecurity.Net February 15, 1997

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.