Microsoft Patches Flaw in IIS Web Server | eWeek

Microsoft Patches Flaw in IIS Web Server

Verfasst von
Dennis Fisher
Dennis Fisher
May 28, 2003
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Microsoft Corp. on Wednesday issued a patch for a flaw in several versions of the IIS Web server that allows attackers to run whatever code they choose on vulnerable servers.

The vulnerability allows for a cross-site scripting attack on machines running IIS 4, 5 and 5.1. In order to exploit the weakness, an attacker would need to entice a user into visiting a malicious Web site and then clicking on a link. That link could send a request containing a script to a third-party Web site running IIS.

That sites response would contain the script, which when sent to the user, would execute on the users machine using the security settings of the third-party site.

The fix for this vulnerability is included in a cumulative patch for the affected versions of IIS, available here.

Microsoft, based in Redmond, Wash., also included fixes for three other new IIS vulnerabilities in the roll-up. One is a buffer overrun in IIS 5 that allows attackers to run arbitrary code with user-level privileges on vulnerable servers. The second is a denial-of-service flaw resulting from the way in which IIS 4 and 5 allocate memory requests when constructing headers to be sent back to a Web browser. And the third is another denial-of-service condition that is the result of IIS 5 and 5.1 mishandling error conditions when an overly long WebDAV request is passed to them. In both cases, IIS would fail as the result of a successful attack.

Microsoft also issued a patch for a flaw in an ISAPI extension in Windows Media Services running on NT 4.0 and Windows 2000. The extension processes incoming requests incorrectly, and an attacker who was able to send a specially formatted requested to the server could cause IIS to stop responding.

The patch for this issue is located here.

Latest Security News:

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.