Patch Available for .htr Vulnerability
Microsoft has released a patch to eliminate a known vulnerability in files with the .htr extension. Malicious users can exploit an unprotected IIS server, cause performance to suffer, and read files they might not otherwise have permissions for. Applications mainly use .htr files when users change passwords through IIS on a Windows NT server. If your application doesn't use this functionality, you might consider removing that application mapping to prevent files with the .htr extension from executing in IIS. Click here for more information about the patch. Click here for more information about the IIS Security Checklist.
Microsoft Releases Patch for Malformed Extension Data in URL Vulnerability
Earlier this month, Microsoft released Security Bulleting MS00-030 and a patch that corrects a vulnerability in IIS 4.0 and IIS 5.0. This vulnerability lets malicious users submit URLs to IIS with specially malformed file extension information, which can slow the Web server and prevent valid users from accomplishing useful work. The Denial of Service (DoS) condition is only temporary, and the Web server returns to normal operation when it has parsed the URL. Click here for more information about this vulnerability and a patch to correct it.
