Microsoft issues patches for IIS
By Alun Williams
Posted on 29 May 2003 at 12:46
What is the collective noun for security bulletins? Well, there is a raft of new warnings from Microsoft covering the Windows Internet Information Server (IIS).
The serving of Web pages is threatened by the vulnerabilities, which involve Microsoft's Web server software.
Security Bulletin MS03-018 relates to Microsoft Internet Information Services (IIS) within Windows. Vulnerabilities within versions 4.0, 5.0 and 5.1 of IIS affect NT 4.0 Windows 200 and Windows XP systems respectively.
This problem has a severity warning of 'Important' (not the highest rating, which is 'Critical'). The update patches four vulnerabilities, including a Cross-Site Scripting (CSS) problem whereby an attacker can hide behind the security settings of a third-party site, a buffer-overrun problem caused by incorrect validation of server-side includes, and two denial of service vulnerabilities.
Note that IIS 6.0, which ships with Windows Server 2003, is not affected.
The Security Bulletin MS03-007 is also IIS-related. This updated patch - originally issued 17 March - addresses a vulnerability that lets an attacker use specially formed HTTP request to crash the server or execute code. It has a severity warning of 'Important', except for Windows 20000 systems, for which the problem is deemed 'Critical'
Microsoft Security Bulletin MS03-019 - entitled Flaw in ISAPI Extension for Windows Media Services Could Cause Denial of Service - relates to Windows 2000 and NT 4.0 systems.
This involves Windows Media Services and is rated only as a 'Moderate' risk by Microsoft. There is a flaw in the way in which the Internet Services Application Programming Interface (ISAPI) - implemented through nsiislog.dll - processes client requests. With specially formed communications to the server, an attacker could cause IIS to stop responding to Internet requests.
Finally, Microsoft Security Bulletin MS03-013 relates to the underlying stem-level services of Windows - the 'kernel' as Microsoft dubs it - and has a severity warning of 'Important'.
Affecting users of NT 4.0, NT 4.0 Server, Windows 2000 and Windows XP, this patch was originally posted 16 April but has been updated. It fixes a privilege elevation vulnerability whereby an attacker can run code of their choice with higher privileges. Possible actions include creating administrative accounts with all their associated powers for creating and deleting system data.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
