IIS ISAPI Filter PlainText Leak - 02 Dec 1999

IIS ISAPI Filter PlainText Leak
Reported December 02, 1999 by

Microsoft IIS 4.0
  • Microsoft Site Server 3.0
  • Microsoft Site Server Commerce Edition 3.0


    Microsoft reported a vulnerability in the SSL ISAPI filter shipped with Internet Information Server and used by other Microsoft products.

    According to the report, "If called by a multi-threaded application under very specific, and fairly rare, circumstances, a synchronization error in the filter could allow a single buffer of plaintext to be transmitted back to the data"s owner."

    "The SSL ISAPI filter provided as part of IIS supports concurrent use. When used in this mode, a synchronization problem could induce a race condition and cause a single buffer of plaintext to be leaked. The conditions under which this could happen are very rare, and could only occur when a single user"s session was multi-threaded and traffic volumes were extremely high."

    According to Microsoft, the scope of this vulnerability is very limited: "the leaked plaintext would always be sent to its owner, and never another user. Also, because the leaked data would fail its integrity check, the effect of the leak would be to cause the SSL session to immediately collapse. The condition could not be induced by a hostile user, and would offer at best a target of opportunity."

    "Finally, it is worth noting that this vulnerability only affects the SSL
    ISAPI filter, not the secure communications capability provided by Windows NT via Schannel."


    Microsoft issued a patch for Intel and Alpha, FAQ, and Support Online article Q244613 regarding this matter.

    Discovered by ?

  • Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.