Internet Information Server, Active
and Microsoft Transaction Server Vulnerabilities
Reported December 12, 1997 by Microsoft
Any systems using IIS with Active Server Pages, and MS
Paraphrased from Knowledge
Base article Q147222:
IIS/ASP Security Context Becomes Corrupt Under Stress
Microsoft says that under stress, a script that is supposed to run under the security
context of a specific user may wind up running under the context of the built-in SYSTEM
account instead. As you may know, the SYSTEM account is all-powerful, and as such, this
behavior is undesirable.
Microsoft points out running programs under the wrong
security context may result in incorrect file access, incorrect component availability,
and incorrect component capabilities. E.G. You"re at the mercy of the attacker.
Potential Security Hole With Out-of-Process
If there are out-of-process Transaction Server packages using role-based security, it is
possible for someone who has access to the computer to spoof the identity that the MTS
package believes is calling the package. A fix is available for the problem. A side effect
of this fix is that all out-of-process components configured to "Activate as
Activator" will now run under the context of the built-in SYSTEM account, where
formerly they would run under a non-deterministic user context.
The hotfix is located here.
To learn more about
new NT security concerns, subscribe to NTSD.
Reported by: Microsoft
Posted here at NTSecurity.Net February 15, 1997