This update addresses several newly discovered security vulnerabilities affecting Internet Information Services (IIS) 5.1 on Windows XP, as well as incorporating all previous updates for IIS.
Ten new vulnerabilities, the most serious of which could enable code of an attacker’s choice to be run on a server.
Customers using any of the affected products should install the patch immediately.
News source: Microsoft Security Bulletin MS02-018 - Cumulative Patch for Internet Information Services
Download patch for : Microsoft IIS 4.0 or Microsoft IIS 5.0 or Microsoft IIS 5.1
Ten new vulnerabilities, the most serious of which could enable code of an attacker’s choice to be run on a server.
- A buffer overrun vulnerability involving the operation of the chunked encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0
- A Microsoft-discovered vulnerability that is related to the preceding one, but which lies elsewhere within the ASP data transfer mechanism.
- A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP header information in certain cases.
- A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0 and 5.1 that results from an error in safety check that is performed during server-side includes.
- A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 and 5.0.
- A denial of service vulnerability involving the way IIS 4.0, 5.0, and 5.1 handle an error condition from ISAPI filters.
- A denial of service vulnerability involving the way the FTP service in IIS 4.0, 5.0 and 5.1 handles a request for the status of the current FTP session.
- A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1: one involving the results page that’s returned when searching the IIS Help Files, one involving HTTP error pages; and one involving the error message that’s returned to advise that a requested URL has been redirected.
Customers using any of the affected products should install the patch immediately.
News source: Microsoft Security Bulletin MS02-018 - Cumulative Patch for Internet Information Services Download patch for : Microsoft IIS 4.0 or Microsoft IIS 5.0 or Microsoft IIS 5.1
Next, the spreadsheet component also enables an attacker to control the clipboard even when the IE option "allow paste operations via script" has been disabled.
"The 'Paste' method of the Range object and the 'Copy' method of the Cell object give an attacker full control over clipboard operations," GreyMagic says.
In this case control means just what it says: the ability to read from and insert data into the victim's clipboard. There are three sample scripts posted with the bulletin , along with a demonstration. The workaround, again, is to disable ActiveX and plugins until MS issues a fix.
Finally, it is possible to read local files, again by exploiting the spreadsheet component.
"The 'LoadText' method of the Range object takes a URL as its first argument; it throws an error if the URL supplied is not in the same domain as the current document.
However, this protection can be easily bypassed by supplying a URL that will redirect to the desired local or remote file.
OWC is fooled to think that the URL is safe and loads the contents of the file into the spreadsheet; it is then trivial to retrieve the content and transfer it to the server or use it in malicious ways," GreyMagic says.
The associated advisory includes two sample scripts and a demo. Once again, the workaround is to disable ActiveX and plugins.
According to GreyMagic, MS has been notified of all the above difficulties and is currently investigating them. No doubt Redmond will be much irritated by disclosure ahead of their patch release; but since there are effective workarounds, it seems better that users should be informed and given the chance to take immediate steps rather than be kept ignorant and vulnerable.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.