Microsoft Patches Flaw in IIS Web Server

Flaw allows attackers to run whatever code they choose on vulnerable servers.

Microsoft Corp. on Wednesday issued a patch for a flaw in several versions of the IIS Web server that allows attackers to run whatever code they choose on vulnerable servers.

The vulnerability allows for a cross-site scripting attack on machines running IIS 4, 5 and 5.1. In order to exploit the weakness, an attacker would need to entice a user into visiting a malicious Web site and then clicking on a link. That link could send a request containing a script to a third-party Web site running IIS.

That sites response would contain the script, which when sent to the user, would execute on the users machine using the security settings of the third-party site.

The fix for this vulnerability is included in a cumulative patch for the affected versions of IIS, available here.

Microsoft, based in Redmond, Wash., also included fixes for three other new IIS vulnerabilities in the roll-up. One is a buffer overrun in IIS 5 that allows attackers to run arbitrary code with user-level privileges on vulnerable servers. The second is a denial-of-service flaw resulting from the way in which IIS 4 and 5 allocate memory requests when constructing headers to be sent back to a Web browser. And the third is another denial-of-service condition that is the result of IIS 5 and 5.1 mishandling error conditions when an overly long WebDAV request is passed to them. In both cases, IIS would fail as the result of a successful attack.

Microsoft also issued a patch for a flaw in an ISAPI extension in Windows Media Services running on NT 4.0 and Windows 2000. The extension processes incoming requests incorrectly, and an attacker who was able to send a specially formatted requested to the server could cause IIS to stop responding.

The patch for this issue is located here.

Latest Security News: