Continued from MS Security Bulletins - Vol. 6 (http://www.sysopt.com/forum/Forum1/HTML/004303.html)
============================================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-019)
- --------------------------------------
Patch Available for "Virtualized UNC Share" Vulnerability
Originally Posted: March 30, 2000
Summary
- -------
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server and
products based on it. Under certain fairly unusual conditions, the
vulnerability could cause a web server to send the source code of
.ASP and other files to a visiting user.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-019.asp
Issue
- -----
If a virtual directory on an IIS server is mapped to a UNC share, and
a request for a file in the directory contains one of several
particular characters at the end, the expected ISAPI extension
processing may not occur. The result is that the source code of the
file would be sent to the browser.
There are significant restrictions that would increase the difficulty
of exploiting this vulnerability:
- By design, virtual directories hide the actual location of files.
Under most circumstances, there would be no way for an attacker to
determine which files on a server actually reside on a UNC share.
- Many browsers will "correct" requests that contain the trailing
characters at issue here, by either removing the characters or
changing them.
- If recommended security practices are followed, .ASP and other
files that require server-side processing will not contain any
sensitive information to compromise.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0 and 5.0
- Microsoft Proxy Server 2.0
- Microsoft Site Server and Site Server, Commerce Edition 3.0
- Microsoft Commercial Internet System 2.0 and 2.5
Patch Availability
==================
- Internet Information Server 4.0
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=18900
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=18901
- Internet Information Server 5.0
http://www.microsoft.com/downloads/release.asp?ReleaseID=19982
NOTE: Proxy Server, Site Server, Site Server Commerce Edition and
Microsoft Commercial Internet System run atop IIS. Customers using
these products should apply the patch appropriate for the version of
IIS they are running.
NOTE: Additional security patches are available at the Microsoft
Download Center.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-019,
http://www.microsoft.com/technet/security/bulletin/fq00-019.asp
- Microsoft Knowledge Base (KB) article Q249599,
Virtual Directory Mapped to UNC Returns Server-Side Script Code
When URL Contains Additional Characters at the End of the Request,
http://www.microsoft.com/technet/support/kb.asp?ID=249599
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- March 30, 2000: Bulletin Created.
socalgal
03-30-2000, 05:10 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-021)
- --------------------------------------
Patch Available for "Malformed TCP/IP Print Request" Vulnerability
Originally Posted: March 30, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the TCP/IP Printing Services for Microsoft(r)
Windows NT(r) 4.0 and Windows(r) 2000. If this service is installed,
the vulnerability could allow a malicious user to disrupt printing
services.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-021.asp
Issue
=====
TCP/IP Printing Services is an RFC 1179-compliant printing service
designed for environments that use the Berkeley Remote Printing
protocols, also known as LPD and LPR. (In Windows 2000, TCP/IP
Printing Services are also known as Print Services for Unix). A
specially-malformed print request could cause TCPSVC.EXE to crash,
which would not only prevent the server from providing printing
services, but also would stop several other services, most importantly
DHCP. Any affected services could be put back into service by
restarting them; it would not be necessary to reboot the machine.
It is important to note that TCP/IP Printing Services is different
from the native Windows NT 4.0 and Windows 2000 printing services.
TCP/IP Printing Services is not installed by default, and the
vulnerability at hand here would not allow a malicious user to
disrupt printing via the native Windows NT 4.0 and Windows 2000
printing services.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Patch Availability
==================
- Windows 2000 Professional, Server, and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19884
- Windows NT 4.0 Workstation, Windows NT 4.0 Server, and
Windows NT 4.0 Server, Enterprise Edition:
Intel:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20015
Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20016
- Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-021: Frequently Asked Questions ,
http://www.microsoft.com/technet/security/bulletin/fq00-021.asp
- Microsoft Knowledge Base (KB) article Q257870
(Will be available within 24 hours)
- RFC 1179, Line Printer Daemon Protocol,
http://www.ietf.org/rfc/rfc1179.txt.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Underground Security Systems Research
(http://www.ussrback.com) for reporting this issue to us and working
with us to protect customers.
Revision
========
- March 30, 2000: Bulletin Created.
socalgal
03-31-2000, 06:33 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-006)
- --------------------------------------
Patch Available for "Malformed Hit-Highlighting Argument"
Vulnerability
Originally Posted: January 26, 2000
Revised March 31, 2000
Summary
=======
On January 26, 2000 Microsoft released the original version of this
bulletin to announce the availability of a patch that eliminates two
security vulnerabilities in Microsoft(r) Index Server. The first
vulnerability could allow a malicious user to view -- but not to
change, add or delete -- files on a web server. The second
vulnerability could reveal where web directories are physically
located on the server.
On February 04, 2000, a new variant of the second vulnerability was
discovered, which was already eliminated by the patch. Microsoft
updated this bulletin in order to advise customers of it, but
customers who already applied the patch did not need to take any
action.
On February 11, 2000, Microsoft re-released the Windows 2000 version
of this patch to take advantage of improvements in the Hotfix
packaging tool. These improvements enable the hotfix tool to detect
the default language of the system, and also give users better
inventory control based on the Knowledge Base article and Service
Pack. Although the patch itself was not changed by this re-release,
Microsoft nevertheless recommended that Windows 2000 customers apply
the new version in order to ensure that the new tool was present on
their systems.
On March 31, 2000, Microsoft re-released the Windows NT 4.0 version of
this patch, to address a recently-discovered variant of the
vulnerability. Only the Windows NT 4.0 patch was affected by the new
variant.
Frequently asked questions about this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-006.asp
Issue
=====
This patch eliminates two vulnerabilities whose only relationship is
that both occur in Index Server. The first is the "Malformed
Hit-Highlighting Argument" vulnerability. The ISAPI filter that
implements the hit-highlighting (also known as "WebHits")
functionality does not adequately constrain what files can be
requested. By providing a deliberately-malformed argument in a
request to hit-highlight a document, it is possible to escape the
virtual directory. This would allow any file residing on the server
itself, and on the same logical drive as the web root directory, to be
retrieved regardless of permissions. A new variant of this
vulnerability was announced on March 31, 2000. This variant could
allow the source of server-side files such as .ASP files to be read.
The new variant affects only Index Server 2.0, and Windows 2000
customers who applied the original patch were never at risk from it.
The second vulnerability involves the error message that is returned
when a user requests a non-existent Internet Data Query file. The
error message provides the physical path to the web directory that was
contained in the request. Although this vulnerability would not allow
a malicious user to alter or view any data, it could be a valuable
reconnaissance tool for mapping the file structure of a web server. A
new variant of this vulnerability was announced on February 04, 2000.
This variant could allow a malicious user to read files. The variant
was eliminated by the original patch, and customers who applied the
original version of the patch were never at risk from it.
Indexing Services in Windows 2000 is affected only by the "Malformed
Hit-Highlighting" vulnerability - it is not affected by the second
vulnerability. Also, it is important to note that, although Indexing
Services in Windows 2000 is installed by default, it is not started
unless the administrator has explicitly turned it on.
Affected Software Versions
==========================
- Microsoft Index Server 2.0
- Indexing Service in Windows 2000
Patch Availability
==================
- Index Server 2.0:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
- Indexing Services for Windows 2000:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726
NOTE: The Download Center page incorrectly gives 26 January 2000 as
the date of the patch. We are working to correct this error, but have
verified that the patch that is on the Download Center is the most
recent version.
NOTE: Additional security patches are available at the Microsoft
Download Center.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-006,
http://www.microsoft.com/technet/security/bulletin/fq00-006.asp
- Microsoft Knowledge Base (KB) article Q251170,
Malformed Argument in Hit-Highlighting Request Allows Access to
Web Server Files,
http://www.microsoft.com/technet/support/kb.asp?ID=251170
- Microsoft Knowledge Base (KB) article Q252463,
Index Server Error Message Reveals Physical Location of Web
Directories,
http://www.microsoft.com/technet/support/kb.asp?ID=252463
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks David Litchfield of Cerberus Information Security,
Ltd, http://www.cerberus-infosec.co.uk for reporting the "Malformed
Hit-Highlighting Argument" vulnerability to us and working with us to
protect customers.
Revisions
=========
- January 26, 2000: Bulletin Created.
- February 04, 2000: Bulletin revised to provide additional detail
about Indexing Services, and to discuss an additional variant of
the "Malformed Hit-Highlighting Argument" vulnerability that is
eliminated by the original patch.
- February 11, 2000: Bulletin revised to reflect availability of
patch for Windows 2000 with new version of Hotfix.exe
- March 31, 2000: Bulletin revised to discuss new variant of
"Malformed Hit-Highlighting Argument" vulnerability affecting
Windows NT 4.0.
socalgal
04-03-2000, 06:09 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-022)
- --------------------------------------
Patch Available for "XLM Text Macro" Vulnerability
Originally Posted: April 03, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Excel. The vulnerability could allow a
macro to run without generating the expected security warning.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-022.asp
Issue
=====
When an Excel user starts a macro that resides outside of the current
spreadsheet (for example, in another spreadsheet), Excel by design
will generate a warning dialogue. However, this dialogue is not
generated if the macro consists of Excel 4.0 Macro Language (XLM)
commands in an external text file.
The vulnerability only affects whether a warning dialogue is displayed
- - it does not change any other aspects of the macro's operation. A
malicious user would need to entice a user into accepting the
spreadsheet and opening it. Further, there is no means to
"autolaunch" such a macro, so the malicious user would need to entice
the user into clicking a link into to launch the macro.
Affected Software Versions
==========================
- Microsoft Excel 97
- Microsoft Excel 2000
Note: Excel ships as a stand-alone product, and also as a member of
the Office family.
Note: Previous versions of Excel may be affected by this
vulnerability. The recommended course of action for customers using
these products is to upgrade to either Excel 97 or 2000, and apply the
patch for them.
Patch Availability
==================
- Excel 97:
http://www.officeupdate.com/downloadDetails/Xl8p9pkg.htm?
s=/downloadCatalog/dldExcel.asp
Note: A line break has been inserted into the above URL
for readability.
Note: This patch requires Office 97 Service Release 2
- Excel 2000:
This vulnerability is eliminated in Office Service Release 1,
which is available at
http://www.officeupdate.com/2000/downloadDetails/O2kSR1DDL.htm
Note: Additional security patches are available at the Microsoft
Download Center.
More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-022: Frequently Asked Questions,
http://www.microsoft.com/technet/security/bulletin/fq00-022.asp
- Microsoft Knowledge Base (KB) article Q255605,
XL2000: Macro Virus Warning Does Not Appear When You Open a Text
File That Contains XLM Code,
http://www.microsoft.com/technet/support/kb.asp?ID=255605
- Microsoft Knowledge Base (KB) article Q255606,
XL97: Macro Virus Warning Does Not Appear When You Open a Text
File That Contains XLM Code,
http://www.microsoft.com/technet/support/kb.asp?ID=255606
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Darryl Higa for reporting this issue to us and
working with us to protect customers.
Revisions
=========
April 03, 2000: Bulletin Created.
socalgal
04-03-2000, 06:13 PM
I feel it's relevant to post this Office 2000 SR-1 warning here.
Thanks to Underclocked for bringing this to our attention:
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-023)
- --------------------------------------
Patch Available for "Myriad Escaped Characters" Vulnerability
Originally Posted: April 12, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server. The
vulnerability could allow a malicious user to slow a web server's
response or prevent it from providing service altogether for a period
of time.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-023.asp
Issue
=====
Special characters can be embedded in URLs by use of so-called escaped
character sequences. By providing a specially-malformed URL with an
extremely large number of escaped characters, a malicious user could
arbitrarily increase the work factor associated with parsing the
escaped characters, thereby consuming much or all of the CPU
availability on the server and preventing useful work from being
done.
The vulnerability does not provide any capability to cause the server
to fail, or to add, change or delete data on it. The slowdown would
only last until the URL had been processed, at which point service
would return to normal.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
Patch Availability
==================
- Internet Information Server 4.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292
- Internet Information Server 5.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-023,
http://www.microsoft.com/technet/security/bulletin/fq00-023.asp
- Microsoft Knowledge Base article Q254142 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Vanja Hrustic of the Relay Group for reporting the
"Myriad Escaped Character" vulnerability to us and working with us to
protect customers.
Revisions
=========
- April 12, 2000: Bulletin Created.
socalgal
04-13-2000, 04:20 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-024)
- --------------------------------------
Tool Available for "OffloadModExpo Registry Permissions" Vulnerability
Originally Posted: April 12, 2000
Summary
=======
Microsoft has released a tool that installs tighter permissions on a
Windows NT(r) 4.0 registry key. The default permissions could allow a
malicious user who can interactively log onto a Windows NT 4.0 machine
to compromise the cryptographic keys of other users who subsequently
log onto the same machine.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-024.asp
Issue
=====
This vulnerability involves a registry key used by the CryptoAPI Base
CSPs to specify the driver DLL for a hardware accelerator. By design,
such a DLL would have access to users' public and private keys.
Although only administrators should have permission to add such a
DLL, the permissions on the key actually would allow any user who
could interactively log onto the machine to do so. By writing a bogus
DLL and installing it, a malicious user could compromise the keys of
other users who subsequently used the machine.
The machines primarily at risk would be workstations and terminal
servers. If normal security recommendations are followed, normal
users will not be allowed to interactively log onto domain
controllers, web servers, database servers, ERP servers, and other
security-critical machines. Windows NT auditing could be used to
determine who changed the key's value. A tool is available that
resets the permissions on the affected key to the correct default
values. In addition, it incorporates the functionality of the tool
provided in Microsoft Security Bulletin MS00-008.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
NOTE: Windows 2000 is not affected by this vulnerability.
NOTE: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-024,
http://www.microsoft.com/technet/security/bulletin/fq00-024.asp
- Microsoft Knowledge Base article Q259496 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Sergio Tabanelli and Banca Nazionale del Lavoro for
reporting this vulnerability to us and working with us to protect
customers.
Revisions
=========
- April 12, 2000: Bulletin Created.
socalgal
04-14-2000, 08:13 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-025)
- --------------------------------------
Procedure Available to Eliminate "Link View Server-Side Component"
Vulnerability
Originally Posted: April 14, 2000
Summary
=======
A procedure is available to eliminate a security vulnerability in
several web server products. The vulnerability could allow a user who
has privileges on a web server to read certain files from other web
sites hosted on the same computer.
Frequently asked questions regarding this vulnerability and
the procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
Issue
=====
Dvwssr.dll is a server-side component used to support the Link View
feature in Visual Interdev 1.0. By design, it provides .asp files to
clients who have web authoring privileges on the server. However, it
does not properly restrict the files that a web author can request,
with the result that a user who has web authoring privileges on one
web site could request .asp files from anywhere on the server,
including other web sites hosted on it. However, even with this
vulnerability, the component would only comply with the request if
the specific file granted read access to the user.
There are some significant restrictions to this vulnerability:
- Only servers hosting multiple web sites could be affected by it
- Only a user who has web authoring privileges for a site on the
server could request a file. He would need to know the name and
location of the file on the server.
- The files would only be sent if their permissions granted read
access to the particular user who requested them. In most cases,
this would mean that the files granted read access to the
Everyone group
- Only .asp files (and global.asa, which is a special-case .asp
file) could be retrieved.
Affected Software Versions
==========================
The affected component is part of Visual Interdev 1.0. However, it is
a server-side component, and is included in the following products:
- Windows NT 4.0 Option Pack
- Personal Web Server 4.0, which ships as part of Windows 95 and 98
- Front Page 98 Server Extensions
NOTE:
1. Windows 2000 is not affected by this vulnerability. Upgrading
from an affected Windows NT 4.0 to Windows 2000 removes the
vulnerability.
2. Installing Office 2000 Server Extensions on an affected server
removes this vulnerability.
3. Installing FrontPage 2000 Server Extensions on an affected
server removes this vulnerability.
Remediation
===========
To eliminate this vulnerability, customers who are hosting web sites
should delete all copies of the file Dvwssr.dll from their servers.
The FAQ provides step-by-step instructions for doing this. The only
functionality lost by deleting the file is the ability to generate
link views using Visual Interdev 1.0.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-025,
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
- Microsoft Knowledge Base article Q259799 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
Information on contacting Microsoft Technical Support is available
at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- April 14, 2000: Bulletin Created.
socalgal
04-15-2000, 08:41 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-025)
- --------------------------------------
Procedure Available to Eliminate "Link View Server-Side Component"
Vulnerability
Originally Posted: April 14, 2000
Summary
=======
On April 14, 2000, Microsoft issued the original version of this
bulletin, to discuss a security vulnerability affecting several web
server products. Shortly after publishing the bulletin, we learned of
a new, separate vulnerability that significantly increases the threat
to users of these products. The remediation is the same as originally
described, so any customers who followed the original recommendations
would not need to take additional steps. However, some customers who
did not need to take action based on the original assessment may need
to do so now.
A procedure is available to eliminate a security vulnerability that
could allow a malicious user to cause a web server to crash.
Microsoft is investigating the possibility that the vulnerability also
would allow a malicious user to run arbitrary code on the server, and
will update this bulletin when this is known.
Frequently asked questions regarding this vulnerability and the
procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
Issue
=====
Dvwssr.dll is a server-side component used to support the Link View
feature in Visual Interdev 1.0. However, it contains an unchecked
buffer. If overrun with random data, it could be used to cause an
affected server to crash.
Microsoft is continuing to investigate this issue in order to
determine whether there also is a capability to run arbitrary code on
the server. We will update this bulletin when these results are known.
However, the threat posed by the denial of service case alone is
sufficient to warrant taking the remediation steps detailed below.
Customers who take these steps now will not need to take additional
steps regardless of the final outcome of the investigation.
Affected Software Versions
==========================
The affected component is part of Visual Interdev 1.0. However, it is
a server-side component, and is included in the following products:
- Windows NT 4.0 Option Pack, which is the primary distribution
mechanism for Internet Information Server 4.0
- Personal Web Server 4.0, which ships as part of Windows 95 and 98
- Front Page 98 Server Extensions
NOTE:
1. Windows 2000 is not affected by this vulnerability. Upgrading from
an affected Windows NT 4.0 to Windows 2000 removes the
vulnerability.
2. Installing Office 2000 Server Extensions on an affected server
removes this vulnerability.
3. Installing FrontPage 2000 Server Extensions on an affected server
removes this vulnerability.
Remediation
===========
To eliminate this vulnerability, customers who are hosting web sites
using any of the affected products should delete all copies of the
file Dvwssr.dll from their servers. The FAQ provides step-by-step
instructions for doing this. The only functionality lost by deleting
the file is the ability to generate link views using Visual Interdev
1.0.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-025,
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
- Microsoft Knowledge Base article Q259799 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
Information on contacting Microsoft Technical Support is available
at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- April 14, 2000: Bulletin Created.
socalgal
04-17-2000, 04:39 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-025)
- --------------------------------------
Procedure Available to Eliminate "Link View Server-Side Component"
Vulnerability
Originally Posted: April 14, 2000
Updated: April 17, 2000
Summary
=======
On April 14, 2000, Microsoft issued the original version of this
bulletin, to discuss a security vulnerability affecting several web
server products. Shortly after publishing the bulletin, we learned of
a new, separate vulnerability that increased the threat to users of
these products. We updated the bulletin later on April 14, 2000, to
advise customers of the new vulnerability, and noted that we would
provide additional details when known. On April 17, 2000, we updated
the bulletin again to provide those details.
A procedure is available to eliminate a security vulnerability that
could allow a malicious user to cause a web server to crash, or
potentially run arbitrary code on the server, if certain permissions
have been changed from their default settings to inappropriate ones.
Although this bulletin has been updated several times as the
investigation of this issue has progressed, the remediation steps
have always remained the same - customers running affected web servers
should delete the affected file, Dvwssr.dll. Customers who have done
this at any point in the past do not need to take any further action.
Frequently asked questions regarding this vulnerability and
the procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
Issue
=====
Dvwssr.dll is a server-side component used to support the Link View
feature in Visual Interdev 1.0. However, it contains an unchecked
buffer. If overrun with random data, it could be used to cause an
affected server to crash, or could allow arbitrary code to run on the
server in a System context.
By default, the affected component, Dvwssr.dll, resides in a folder
whose permissions only allow web authors to execute it. Under these
conditions, only a person with web author privileges could exploit the
vulnerability - but a web author already has the ability to upload
and execute code of his choice, so this case represents little
additional threat. However, if the permissions on the folder were set
inappropriately, or the .dll were copied to a folder with lower
permissions, it could be possible for other users to execute the
component and exploit the vulnerability.
Affected Software Versions
==========================
The affected component is part of Visual Interdev 1.0. However, it is
a server-side component, and is included in the following products:
- Microsoft(r) Windows NT(r) 4.0 Option Pack, which is the
primary distribution mechanism for Internet Information
Server 4.0
- Personal Web Server 4.0, which ships as part of
Windows(r) 95 and 98
- Front Page 98 Server Extensions, which ships as part of
Front Page 98.
NOTE:
1. Windows 2000 is not affected by this vulnerability. Upgrading
from an affected Windows NT 4.0 to Windows 2000 removes the
vulnerability.
2. Installing Office 2000 Server Extensions on an affected server
removes this vulnerability.
3. Installing FrontPage 2000 Server Extensions on an affected
server removes this vulnerability.
Remediation
===========
To eliminate this vulnerability, customers who are hosting web sites
using any of the affected products should delete all copies of the
file Dvwssr.dll from their servers. The FAQ provides step-by-step
instructions for doing this. The only functionality lost by deleting
the file is the ability to generate link views of .asp pages using
Visual Interdev 1.0.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-025,
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
- Microsoft Knowledge Base article Q259799 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
Information on contacting Microsoft Technical Support is available
at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- April 14, 2000: Bulletin Created.
- April 14, 2000: Bulletin updated to provide preliminary results
of investigation of buffer overrun vulnerability.
- April 17, 2000: Bulletin updated to provide final results of
investigation.
socalgal
04-20-2000, 04:51 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-026)
======================================
Patch Available for "Mixed Object Access" Vulnerability
Originally Posted: April 20, 2000
Summary
- -------
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 2000 that could, under very
specific conditions, allow a malicious user to change information in
the Active Directory that he should not be able to change.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-026.asp
Issue
=====
Active Directory allows for access control of directory objects on a
per-attribute basis. However, the vulnerability at issue here could
allow a malicious user to modify object attributes that he does not
have permission to modify, as long as he combined the operation in a
particular way with ones involving attributes that he does have
permission to modify.
The vulnerability does not afford the malicious user an opportunity to
modify all objects in a class - only the specific class objects for
which he has permission to modify at least one attribute. Further, the
vulnerability provides no capability to bypass normal authentication
or Windows 2000 auditing, so administrators could determine if this
vulnerability were being exploited, and by whom.
Affected Software Versions
==========================
- Windows 2000 Server
- Windows 2000 Advanced Server
Note The vulnerability only affects the above products when they are
used as domain controllers.
Note: Additional security patches are available at the Microsoft
Download Center.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-026,
http://www.microsoft.com/technet/security/bulletin/fq00-026.asp
- Microsoft Knowledge Base article Q259401 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting
Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Sebastien Malbois (mailto:smalbois@hotmail.com) of
Bouygues Construction http://www.bouygues-construction.com/ for
reporting this issue to us and working with us to protect customers.
Revisions
=========
- April 20, 2000: Bulletin Created.
socalgal
04-20-2000, 10:13 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-027)
- --------------------------------------
Patch Available for "Malformed Environment Variable" Vulnerability
Originally Posted: April 20, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows NT(r) 4.0 and Windows(r) 2000.
The vulnerability could allow a malicious user to make some or all of
the memory on an affected server unavailable, potentially slowing or
stopping an affected server's response time.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-027.asp
Issue
=====
CMD.EXE, the command processor for Windows NT 4.0 and Windows 2000,
has an unchecked buffer in part of the code that handles environment
strings. Although we believe that it could not be exploited to run
arbitrary code, it could be used to mount denial of service attacks
in certain cases. If a server provides batch or other script files, a
malicious user could potentially provide arguments that would create
an extremely large environment string and overflow the buffer. This
would cause the process to fail, and the memory allocated to the
process would not be made available again until a dialogue had been
cleared on the operator's console. By repeatedly running the batch
file, the malicious user could potentially make some or all of the
memory on the server temporarily unavailable.
As noted above, Microsoft believes that arbitrary code cannot be made
to execute via this vulnerability. The machines most likely to be
affected would be web servers, as they are the most likely types of
machines to offer batch files for use by remote users. However, even
an otherwise-affected web server would not be vulnerable to this
problem if an operator were present at the console to clear the error
dialogue promptly.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Patch Availability
==================
- Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20494
- Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20503
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-027,
http://www.microsoft.com/technet/security/bulletin/fq00-027.asp
- Microsoft Knowledge Base article Q259622 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks David Litchfield of Cerberus Information Security,
Ltd http://www.cerberus-infosec.co.uk/ for reporting this issue to
us and working with us to protect customers.
Revisions
=========
- April 20, 2000: Bulletin Created.
socalgal
04-21-2000, 06:01 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-028)
- --------------------------------------
Procedure Available to Eliminate "Server-Side Image Map Components"
Vulnerability
Originally Posted: April 21, 2000
Summary
=======
A procedure is available to eliminate a security vulnerability
affecting several web server products. The vulnerability could
potentially allow a malicious web site visitor to perform actions that
the system permissions authorize him to perform, but which he
previously may have had no means of actually carrying out.
Frequently asked questions regarding this vulnerability and the
remediation for it can be found at http://www.microsoft.com/technet/security/bulletin/fq00-028.asp
Issue
=====
The FrontPage 97 and 98 Server Extensions include two components,
Htimage.exe and Imagemap.exe, that provide CERN- and NCSA-compliant
server side image mapping support, respectively, for legacy browsers.
Both components contain unchecked buffers that could be used to run
arbitrary code. Although part of the Server Extensions, these
components also install as part of several other web server products.
The risk posed by this vulnerability is significantly restricted by
the fact that the affected components run "out of process" and in the
security context of the user. Thus, there is no capability through
this vulnerability to cause either the web service or the server
itself to crash, nor is there an opportunity to run code in an
elevated security context. However, it still could be possible for a
malicious user to perform actions that, though permitted, he would
otherwise be unable to take because the functionality was not exposed
via a web page or script.
Affected Software Versions
==========================
The affected components are part of the FrontPage 97 and 98 Server
Extensions. However, they also are distributed with several other web
server products. The complete list of products in which these
components ship is:
- FrontPage 97 Server Extensions, which ship as part of FrontPage 97
- FrontPage 98 Server Extensions, which ship as part of FrontPage 98
- Microsoft(r) Windows NT(r) 4.0 Option Pack, which is the primary
distribution mechanism for Internet Information Server 4.0
- Personal Web Server 4.0, which ships as part of Windows(r) 95
and 98
Remediation
===========
To eliminate this vulnerability, customers who are hosting web sites
using any of the affected products should delete all copies of the
files Htimage.exe and Imagemap.exe from their servers. The FAQ
provides step-by-step instructions for doing this. The only
functionality lost by deleting the file is the ability to support
image mapping for web site visitors using legacy browser products.
ISPs and other customers who allow others to self-manage web sites
should be aware that users who use FrontPage 97 or 98 to manage their
sites could unknowingly re-introduce the affected components onto
their sites when they upload content to it. This would not endanger
the server at large, but could nevertheless be cause for concern. The
FAQ discusses how to use functionality provided as part of the Server
Extensions to prevent this from happening.
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-028,
http://www.microsoft.com/technet/security/bulletin/fq00-028.asp
- Microsoft Knowledge Base article Q260267 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- April 21, 2000: Bulletin Created.
socalgal
05-10-2000, 07:25 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-031)
- --------------------------------------
Patch Available for "Undelimited .HTR Request" and "File Fragment
Reading via .HTR" Vulnerabilities
Originally Posted: May 10, 2000
Summary
=======
Microsoft has released a patch that eliminates two security
vulnerabilities in Microsoft(r) Internet Information Server. The
vulnerabilities could, respectively, be used to slow an affected web
server's response or to obtain the source code of certain types of
files under very restricted conditions.
Frequently asked questions regarding these vulnerabilities
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-031.asp
Issue
=====
This patch eliminates two security vulnerabilities that are unrelated
except by virtue of the fact that both exist in the ISAPI extension
that provides web-based password administration via .HTR scripts.
- The "Undelimited .HTR Request" vulnerability is a denial
of service vulnerability. If a malicious user provided a
password change request that was missing an expected
delimiter, the algorithm would conduct an unbounded search.
This would prevent it from servicing additional .HTR requests,
and could also slow the overall response of the server.
- The ".HTR File Fragment Reading" vulnerability could allow
fragments of certain types of files to be read by providing a
malformed request that would cause the .HTR processing to be
applied to them. However, the vulnerability could only be
exploited under extremely restrictive conditions, and the
most valuable data in the files would be the least likely to
actually appear in the fragments sent to the user.
Neither of these vulnerabilities would allow data to be added, deleted
or changed on the server, nor would they allow any administrative
control on the server to be usurped. Although .HTR files are used to
allow web-based password administration, neither of these
vulnerabilities involve any weakness in password handling. Also, if
security best practices have been followed, and unneeded script
mappings have been removed, many customers will have removed the .HTR
script mapping and thus be unaffected by either vulnerability.
Affected Software Versions
==========================
- Internet Information Server 4.0
- Internet Information Server 5.0
Patch Availability
==================
- Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20905
- Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20903
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-031,
http://www.microsoft.com/technet/security/bulletin/fq00-031.asp
- Microsoft Knowledge Base article Q260838 discusses the
"Undelimited .HTR Request" vulnerability and will be available
soon.
- Microsoft Knowledge Base article Q260069 discusses the "File
Fragment Reading via .HTR" vulnerabilty and will be available
soon.
- How to Change Windows NT Account Passwords Using Internet
Information Server (IIS) 4.0,
http://www.microsoft.com/technet/support/kb.asp?ID=184619
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Internet Security Systems' X-force http://xforce.iss.net/ , and David Litchfield of Cerberus Information
Security, Ltd http://www.cerberus-infosec.co.uk/ , for reporting
these vulnerabilities to us, and working with us to protect
customers.
Revisions
=========
- May 10, 2000: Bulletin Created.
pickel
05-11-2000, 06:08 PM
Will there ever be an end to updates and patches ?????? http://sysopt.earthweb.com/forum/frown.gif
BBA
05-11-2000, 06:49 PM
Well Pickel...you could always get X-nix, there are no updates or patches...
Then again, there are no updates or patches...
LOL
socalgal
05-11-2000, 07:31 PM
I don't think so, Pickel http://sysopt.earthweb.com/forum/wink.gif
=====================================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-030)
- --------------------------------------
Patch Available for "Malformed Extension Data in URL" Vulnerability
Originally Posted: May 11, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server. The
vulnerability could be used to slow the performance of an affected
server, or temporarily stop it altogether.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-030.asp
Issue
=====
In compliance with RFC 2396, the algorithm in IIS that processes URLs
has flexibility built in to allow it to process any arbitrary
sequence of file extensions or subresource identifiers (referred to in
the RFC as path_segments). By providing an URL that contains
specially-malformed file extension information, a malicious user could
misuse this flexibility in order to arbitrarily increase the work
factor associated with parsing the URL. This could consume much or all
of the CPU availability on the server and prevent useful work from
being done.
The vulnerability does not provide any capability to cause the server
to fail, or to add, change or delete data on it. Likewise, it
provides no capability to usurp administrative control of the web
server. The slowdown would only last until the URL had been
processed, at which point service would return to normal.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
Patch Availability
==================
- Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20906
- Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20904
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-030,
http://www.microsoft.com/technet/security/bulletin/fq00-030.asp
- Microsoft Knowledge Base article Q260205 discusses this issue
and will be available soon.
- RFC 2396, Uniform Resource Identifiers (URI): Generic Syntax,
http://www.ietf.org/rfc/rfc2396.txt
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Underground Security Systems Research http://www.ussrback.com for reporting this vulnerability to us and
working with us to protect customers.
Revisions
=========
- May 11, 2000: Bulletin Created.
[This message has been edited by socalgal (edited 05-11-2000).]
socalgal
05-12-2000, 08:01 PM
Continued to MS Security Bulletins - Vol. 8 (http://sysopt.earthweb.com/forum/Forum1/HTML/006219.html)
SysOpt.com
Copyright Internet.com Inc. All Rights Reserved.