IIS ISAPI Filter PlainText Leak
Reported December 02, 1999 by Microsoft
Microsoft IIS 4.0
Microsoft Site Server 3.0
Microsoft Site Server Commerce Edition 3.0
Microsoft reported a vulnerability in the SSL ISAPI
filter shipped with Internet Information Server and used by other Microsoft products.
According to the report, "If called by a
multi-threaded application under very specific, and fairly rare, circumstances, a
synchronization error in the filter could allow a single buffer of plaintext to be
transmitted back to the data"s owner."
"The SSL ISAPI filter provided as part of IIS supports concurrent use. When used in
this mode, a synchronization problem could induce a race condition and cause a single
buffer of plaintext to be leaked. The conditions under which this could happen are very
rare, and could only occur when a single user"s session was multi-threaded and traffic
volumes were extremely high."
According to Microsoft, the scope of this vulnerability is very limited: "the leaked
plaintext would always be sent to its owner, and never another user. Also, because the
leaked data would fail its integrity check, the effect of the leak would be to cause the
SSL session to immediately collapse. The condition could not be induced by a hostile user,
and would offer at best a target of opportunity."
"Finally, it is worth noting that this vulnerability
only affects the SSL
ISAPI filter, not the secure communications capability provided by Windows NT via
Microsoft issued a patch for Intel
and Alpha, FAQ,
and Support Online article Q244613
regarding this matter.
Discovered by ?