Microsoft fixes IIS bugs -- again
It must be not be much fun to work on Microsoft Corp.'s Internet Information Services 5.0 (IIS) these days. The first two weeks of May saw the discovery of a number of security flaws in IIS, including ones that might lead to denial of service (DoS) attacks or allow an attacker to take near-total control of a system.
On Tuesday, Microsoft issued yet another patch, this time for IIS version 4.0 (Service Pack 5 and higher) and version 5.0, which will protect against other DoS and takeover attacks, as well as correct problems created by other "fixes."
The new patch, available now at Microsoft's TechNet Web site, fixes three flaws in the IIS software. The first flaw allows an attacker to gain the ability to execute programs on the system by sending a certain sequence of packets of data, though it would not allow the attacker to gain administrator-level privileges. The second problem fixed in the update concerns an FTP (file transfer protocol) DoS which could cause the program to run out of memory, thus causing all connections to shut down. Finally, another issue with FTP services could have allowed an attacker to gain access to "Guest" accounts, though this vulnerability seems to be the most minor.
The new patch also fixes new flaws introduced by three Microsoft patches issued in August 2000 and March 2001. The fix offered by the August patch, Microsoft Security Bulletin MS00-060, had created conditions that would allow an attacker to slow down a system. Two fixes issued in March, MS01-014 and MS01-016, had created potential for a denial of service attack.
The first flaw in IIS was discovered by NSfocus Information Technology Co. Ltd., a Chinese security firm. The two FTP issues were found by Lukasz Luzar of Developers.of.PL and Aiden ORawe. Kevin Kotas, of eSecurityOnline LLC, a security portal, discovered the bugs created by the earlier patches.
The patch issued Tuesday is the third Microsoft has released for its server products in the first two weeks of May.
Two other patches were issued, fixing vulnerabilities in Windows 2000 Server and IIS 5.0 which could lead to the complete takeover of systems by an attacker or a DoS attack, respectively.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
