[8] in Security FYI
new security hole found in Microsoft IIS/4.0 web server
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Wed Jun 16 05:24:59 1999
From: <mhpower@MIT.EDU>
Date: Wed, 16 Jun 1999 05:24:47 -0400
Message-Id: <199906160924.FAA15686@the-oz.mit.edu>
To: security-fyi@MIT.EDU
Cc: wa@MIT.EDU
Reply-To: net-security@MIT.EDU
Yesterday there was an announcement of a security problem with the
Microsoft IIS/4.0 (Internet Information Server version 4.0) web
server. The security problem allows intruders anywhere on the Internet
to break into and gain complete control of Windows NT systems that are
running this web server. Microsoft has issued a security bulletin
describing a workaround that is intended to eliminate the security
problem. Basically, the bulletin indicates that one should change the
WWW service configuration by removing the line containing ".HTR" from
the extension mappings. The full text of the Microsoft bulletin can be
found at
http://www.microsoft.com/security/bulletins/ms99-019.asp
Another web page to check for the Microsoft security bulletin is
http://www.microsoft.com/security
There is some other discussion of the security problem at
http://www.wired.com/news/news/technology/story/20231.html
and the details of how to break in via this security hole have been
published at
http://www.eeye.com/database/advisories/ad06081999/ad06081999-exploit.html
For more information about reconfiguring your computers to eliminate
this new security problem, see
http://web.mit.edu/net-security/www/fyi/fyi-1999-002-iis.html
Matt Power
Network Security team, MIT Information Systems