[8762] in bugtraq

home help back first fref pref prev next nref lref last post

Microsoft Security Bulletin (MS98-019) (fwd)

daemon@ATHENA.MIT.EDU (Rattle)
Tue Dec 22 01:33:48 1998

Date: 	Mon, 21 Dec 1998 15:56:44 -0600
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Rattle <rattle@TLORAH.NET>
To: BUGTRAQ@NETSPACE.ORG

Another IIS DoS attack?  Of course!

...
. Nick Levay
. rattle@tlorah.net
. "There are two major products that come out of Berkeley:  LSD and UNIX.
. We do not believe this to be a coincidence."


>The following is a Security  Bulletin from the Microsoft Product Security
>Notification Service.
>
>Please do not  reply to this message,  as it was sent  from an unattended
>mailbox.
>                    ********************************
>
>Microsoft Security Bulletin (MS98-019)
>--------------------------------------
>
>Patch Available for IIS "GET" Vulnerability
>
>Originally Posted: December 21, 1998
>
>Summary
>=======
>Microsoft has released a patch that fixes a vulnerability in Microsoft(r)
>Internet Information  Server(r) that could allow denial-of-service attacks
>to be mounted against web servers.
>
>There have been no reports of customers being affected by this
>vulnerability. However, Microsoft  is publishing this bulletin and
releasing
>the patch to allow customers to address the potential  security risk it
>poses. As detailed below in What Customers Should Do, Microsoft recommends
>that  users evaluate whether they are at risk from this attack and install
>the patch if appropriate.
>
>Issue
>=====
>This vulnerability involves the HTTP GET method, which is used to obtain
>information from an IIS  web server. Specially-malformed GET requests can
>create a denial of service situation that  consumes all server resources,
>causing a server to "hang." In some cases, the server can be put  back into
>service by stopping and restarting IIS; in others, the server may need to
be
>rebooted.  This situation cannot happen accidentally. The malformed GET
>requests must be deliberately  constructed and sent to the server. It is
>important to note that this vulnerability does not  allow data on the
server
>to be compromised, nor does it allow any privileges on it to be usurped.
>
>Affected Software Versions
>==========================
> - Microsoft Internet Information Server, versions 3.0 and 4.0, on x86 and
>Alpha platforms.
>
>What Microsoft is Doing
>=======================
>On December 21, Microsoft released a patch that fixes the problem. This
>patch is available for  download from the sites listed below.  Please see
>What Customers Should Do for additional  information on the patch.
>
>Microsoft has sent this security bulletin to customers subscribing
>to the Microsoft Product Security Notification Service (see
>http://www.microsoft.com/security/services/bulletin.asp for
>more information about this free customer service).
>
>Microsoft has published the following Knowledge Base (KB) article on this
>issue:
> - Microsoft Knowledge Base (KB) article Q192296,
>   IIS: Patch Available for IIS "GET" Vulnerability,
>   http://support.microsoft.com/support/kb/articles/q192/2/96.asp.
>   (Note: It might take 24 hours from the original posting of this
>   bulletin for the updated KB article to be visible in the Web-based
>   Knowledge Base.)
>
>Microsoft has released the following hot fixes:
> - Fix for IIS 3.0 on X86 platforms:
>   ftp://ftp.microsoft.com/bussys/iis/iis-public
>   /fixes/usa/security/Infget-fix/infget3i.exe
> - Fix for IIS 4.0 on X86 platforms:
>   ftp://ftp.microsoft.com/bussys/iis/iis-public
>   /fixes/usa/security/Infget-fix/infget4i.exe
> - Fix for IIS 3.0 on Alpha platforms:
>   ftp://ftp.microsoft.com/bussys/iis/iis-public
>   /fixes/usa/security/Infget-fix/infget3a.exe
> - Fix for IIS 4.0 on Alpha platforms:
>   ftp://ftp.microsoft.com/bussys/iis/iis-public
>   /fixes/usa/security/Infget-fix/infget4a.exe
>(Note: the URLs above have been wrapped for readability)
>
>What Customers Should Do
>========================
>The patch for this vulnerability is fully supported. However, it has not
>been fully regression  tested and should only be applied to systems
>determined to be at risk of attack. A fully  regression-tested version of
>the patch will be available as part of the next Windows NT service  pack.
>
>Microsoft recommends that customers evaluate the degree of risk that this
>vulnerability poses to  their systems, based on physical accessibility,
>network and Internet connectivity, and other  factors, and determine
whether
>the appropriate course of action is to apply the patch or wait for  the
next
>service pack.
>
>More Information
>================
>Please see the following references for more information related to this
>issue.
> - Microsoft Security Bulletin 98-019,
>   Patch Available for IIS "GET" Vulnerability
>   (the Web-posted version of this bulletin),
>   http://www.microsoft.com/security/bulletins/ms98-019.asp.
> - Microsoft Knowledge Base (KB) article Q192296,
>   IIS: Patch Available for IIS "GET" Vulnerability,
>   http://support.microsoft.com/support/kb/articles/q192/2/96.asp.
>   (Note: It might take 24 hours from the original posting of this
>   bulletin for the updated KB article to be visible in the Web-based
>   Knowledge Base.)
>
>Obtaining Support on this Issue
>===============================
>This is a supported patch. If you have problems installing
>this patch or require technical assistance with this patch,
>please contact Microsoft Technical Support. For information
>on contacting Microsoft Technical Support, please see
>http://support.microsoft.com/support/contact/default.asp.
>
>Acknowledgements
>================
>Microsoft wishes to acknowledge the contribution made by
>Brian Steele of Cable and Wireless Grenada, Ltd. (www.candw.com),
>and Eugene Kalinin of the N. N.Burdenko Neurosurgery Institute,
>who reported the problem to us.
>
>Revisions
>=========
> - December 21, 1998: Bulletin Created
>
>
>For additional security-related information about Microsoft products,
>please visit http://www.microsoft.com/security
>
>
>---------------------------------------------------------------------------
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS"
>WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND
FITNESS
>FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
>INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
>EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
>FOREGOING  LIMITATION MAY NOT APPLY.
>
>(c) 1998 Microsoft Corporation. All rights reserved. Terms of Use.
>
>   *******************************************************************
>You have received  this e-mail bulletin as a result  of your registration
>to  the   Microsoft  Product  Security  Notification   Service.  You  may
>unsubscribe from this e-mail notification  service at any time by sending
>an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For  more  information on  the  Microsoft  Security Notification  Service
>please    visit    http://www.microsoft.com/security/bulletin.htm.    For
>security-related information  about Microsoft products, please  visit the
>Microsoft Security Advisor web site at http://www.microsoft.com/security.

home help back first fref pref prev next nref lref last post