[8762] in bugtraq
Microsoft Security Bulletin (MS98-019) (fwd)
daemon@ATHENA.MIT.EDU (Rattle)
Tue Dec 22 01:33:48 1998
Date: Mon, 21 Dec 1998 15:56:44 -0600
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Rattle <rattle@TLORAH.NET>
To: BUGTRAQ@NETSPACE.ORG
Another IIS DoS attack? Of course!
...
. Nick Levay
. rattle@tlorah.net
. "There are two major products that come out of Berkeley: LSD and UNIX.
. We do not believe this to be a coincidence."
>The following is a Security Bulletin from the Microsoft Product Security
>Notification Service.
>
>Please do not reply to this message, as it was sent from an unattended
>mailbox.
> ********************************
>
>Microsoft Security Bulletin (MS98-019)
>--------------------------------------
>
>Patch Available for IIS "GET" Vulnerability
>
>Originally Posted: December 21, 1998
>
>Summary
>=======
>Microsoft has released a patch that fixes a vulnerability in Microsoft(r)
>Internet Information Server(r) that could allow denial-of-service attacks
>to be mounted against web servers.
>
>There have been no reports of customers being affected by this
>vulnerability. However, Microsoft is publishing this bulletin and
releasing
>the patch to allow customers to address the potential security risk it
>poses. As detailed below in What Customers Should Do, Microsoft recommends
>that users evaluate whether they are at risk from this attack and install
>the patch if appropriate.
>
>Issue
>=====
>This vulnerability involves the HTTP GET method, which is used to obtain
>information from an IIS web server. Specially-malformed GET requests can
>create a denial of service situation that consumes all server resources,
>causing a server to "hang." In some cases, the server can be put back into
>service by stopping and restarting IIS; in others, the server may need to
be
>rebooted. This situation cannot happen accidentally. The malformed GET
>requests must be deliberately constructed and sent to the server. It is
>important to note that this vulnerability does not allow data on the
server
>to be compromised, nor does it allow any privileges on it to be usurped.
>
>Affected Software Versions
>==========================
> - Microsoft Internet Information Server, versions 3.0 and 4.0, on x86 and
>Alpha platforms.
>
>What Microsoft is Doing
>=======================
>On December 21, Microsoft released a patch that fixes the problem. This
>patch is available for download from the sites listed below. Please see
>What Customers Should Do for additional information on the patch.
>
>Microsoft has sent this security bulletin to customers subscribing
>to the Microsoft Product Security Notification Service (see
>http://www.microsoft.com/security/services/bulletin.asp for
>more information about this free customer service).
>
>Microsoft has published the following Knowledge Base (KB) article on this
>issue:
> - Microsoft Knowledge Base (KB) article Q192296,
> IIS: Patch Available for IIS "GET" Vulnerability,
> http://support.microsoft.com/support/kb/articles/q192/2/96.asp.
> (Note: It might take 24 hours from the original posting of this
> bulletin for the updated KB article to be visible in the Web-based
> Knowledge Base.)
>
>Microsoft has released the following hot fixes:
> - Fix for IIS 3.0 on X86 platforms:
> ftp://ftp.microsoft.com/bussys/iis/iis-public
> /fixes/usa/security/Infget-fix/infget3i.exe
> - Fix for IIS 4.0 on X86 platforms:
> ftp://ftp.microsoft.com/bussys/iis/iis-public
> /fixes/usa/security/Infget-fix/infget4i.exe
> - Fix for IIS 3.0 on Alpha platforms:
> ftp://ftp.microsoft.com/bussys/iis/iis-public
> /fixes/usa/security/Infget-fix/infget3a.exe
> - Fix for IIS 4.0 on Alpha platforms:
> ftp://ftp.microsoft.com/bussys/iis/iis-public
> /fixes/usa/security/Infget-fix/infget4a.exe
>(Note: the URLs above have been wrapped for readability)
>
>What Customers Should Do
>========================
>The patch for this vulnerability is fully supported. However, it has not
>been fully regression tested and should only be applied to systems
>determined to be at risk of attack. A fully regression-tested version of
>the patch will be available as part of the next Windows NT service pack.
>
>Microsoft recommends that customers evaluate the degree of risk that this
>vulnerability poses to their systems, based on physical accessibility,
>network and Internet connectivity, and other factors, and determine
whether
>the appropriate course of action is to apply the patch or wait for the
next
>service pack.
>
>More Information
>================
>Please see the following references for more information related to this
>issue.
> - Microsoft Security Bulletin 98-019,
> Patch Available for IIS "GET" Vulnerability
> (the Web-posted version of this bulletin),
> http://www.microsoft.com/security/bulletins/ms98-019.asp.
> - Microsoft Knowledge Base (KB) article Q192296,
> IIS: Patch Available for IIS "GET" Vulnerability,
> http://support.microsoft.com/support/kb/articles/q192/2/96.asp.
> (Note: It might take 24 hours from the original posting of this
> bulletin for the updated KB article to be visible in the Web-based
> Knowledge Base.)
>
>Obtaining Support on this Issue
>===============================
>This is a supported patch. If you have problems installing
>this patch or require technical assistance with this patch,
>please contact Microsoft Technical Support. For information
>on contacting Microsoft Technical Support, please see
>http://support.microsoft.com/support/contact/default.asp.
>
>Acknowledgements
>================
>Microsoft wishes to acknowledge the contribution made by
>Brian Steele of Cable and Wireless Grenada, Ltd. (www.candw.com),
>and Eugene Kalinin of the N. N.Burdenko Neurosurgery Institute,
>who reported the problem to us.
>
>Revisions
>=========
> - December 21, 1998: Bulletin Created
>
>
>For additional security-related information about Microsoft products,
>please visit http://www.microsoft.com/security
>
>
>---------------------------------------------------------------------------
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS"
>WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS
>FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
>EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>(c) 1998 Microsoft Corporation. All rights reserved. Terms of Use.
>
> *******************************************************************
>You have received this e-mail bulletin as a result of your registration
>to the Microsoft Product Security Notification Service. You may
>unsubscribe from this e-mail notification service at any time by sending
>an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For more information on the Microsoft Security Notification Service
>please visit http://www.microsoft.com/security/bulletin.htm. For
>security-related information about Microsoft products, please visit the
>Microsoft Security Advisor web site at http://www.microsoft.com/security.