Microsoft Security Bulletin (MS00-018): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-018 announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Information Server 4.0. The vulnerability could allow a malicious user to consume all resources on a web server and prevent it from servicing other users. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service attack. A malicious user could use this vulnerability to consume all of the memory on a web server, thereby preventing it from performing useful work.
There is no capability through this vulnerability to change data or usurp administrative control on the server. An affected server could be put back into normal service by canceling the malicious user's session.
What causes the vulnerability?
The vulnerability results because, when a web client uses chunked encoding to stipulate the size of a buffer to reserve on the server, IIS 4.0 places no limits on how large a buffer can be reserved. By requesting an extremely large buffer but never filling it, a malicious user can make memory unavailable for other uses. If sufficient memory were blocked via this method, the server would be unable to perform any other work.
What is chunked encoding?
Chunked encoding is one of several transfer coding methods specified in the HTTP protocol. In a POST or PUT operation, the sender specifies a transfer coding method that tells the receiver the manner in which the data will be sent, and allows it to reserve resources to handle the session. One transfer coding method is "chunked encoding". When "chunked encoding" is selected, the data is sent in variable-sized chunks, and the sender and receiver negotiate how large each chunk will be.
Are any other transfer coding methods vulnerable to this problem?
No. Only chunked encoding is vulnerable.
Why is chunked encoding vulnerable to this problem?
The implementation of chunked encoding transfers doesn't restrict the size of the buffer that can be reserved. That is, IIS 4.0 will agree to a chunk size that consumes all of the memory on the server. This would allow a malicious user to request an enormous buffer simply for the purpose of denying memory to the server for useful work.
What would happen if my web server were attacked via this vulnerability?
The server would "hang" and stop responding to requests for service.
What would I need to do to put the server back into service?
The machine could be put back into service by stopping and restarting the IIS service. It would not be necessary to reboot the machine.
Could a malicious user "hang" my server indefinitely?
If a malicious user were able to get the server to allocate all or most of the memory on the machine to his session, the malicious user could deny service to other users indefinitely. However, as soon as he closed his session, the memory would be freed, it could be used for legitimate purposes, and service would return to normal.
Could this vulnerability be exploited accidentally?
It's extremely unlikely that this vulnerability could be accidentally exploited. It requires that the user not only reserve an extremely large buffer, but keep the session open indefinitely.
Could this vulnerability be exploited remotely?
Does this vulnerability affect the version of IIS in Windows 2000?
What does the patch do?
The patch causes IIS to limit how much memory can be reserved via chunked encoding.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
Knowledge Base article 252693 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service , a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.