Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-029)
What's this bulletin about?
Microsoft Security Bulletin MS99-029 announces the availability of a patch that eliminates a security vulnerability in Microsoft® Internet Information Server (IIS) 4.0 and web server products that use it as their web engine. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
Has the regression error been eliminated from the patch?
Yes. We retracted the patch on August 11 because it was found to contain a regression error. We have removed the regression error from the patch and thoroughly tested it, and are confident in the patch that we are re-releasing today.
I installed the version of the patch that had the regression error. What should I do?
Download and install the new version of the patch. You do not need to remove the old patch in any way.
Does the regression error change Microsoft's assessment of the vulnerability?
No. The regression error was completely unrelated to the vulnerability. All of the information regarding the vulnerability is unchanged from our original assessment.
What's the scope of the vulnerability?
The vulnerability could allow denial of service attacks against an affected web server. A successful attack would cause the server to stop responding to service requests. It would remain in this condition until the attacking clients were closed or the IIS service were stopped and restarted, at which point normal processing would resume.
What is the vulnerability?
The vulnerability involves the way IIS 4.0 processes the header portion of an HTTP request. If an IIS 4.0 server received multiple HTTP requests containing specially-malformed header information, IIS would consume all memory on the server. The specific malformation could not occur accidentally.
What products are affected by the vulnerability?
The vulnerability lies in IIS 4.0. However, several other Microsoft products use IIS 4.0 as their web engine and are therefore also affected. These include Microsoft Site Server 3.0; Microsoft Site Server 3.0, Commerce Edition; and Microsoft Commercial Internet System 2.0 and 2.5. If you have any of these products, you should consider applying the patch.
What's an HTTP request header?
When a web client requests a service from a web server, it does so through an HTTP request. An HTTP request has two parts, the header and the data. The header identifies what service the browser is requesting, along with parameters about the request. The data portion provides any data needed to service the request. For example, if the header contained an HTTP "PUT" request, the data potion would contain the data that the user wants to put onto the server.
Could an attacker take control of my server through this attack?
No. The attacker could not usurp control of the server, nor could they add, delete or modify any files on the server through this attack.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft will provide technical details about the vulnerability to the International Computer Security Association's Intrusion Detection Consortium, to ensure that security vendors can incorporate this information into their products.
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security. Security best practices for IIS can be found at http://www.microsoft.com/technet/security/chklist/iischk.mspx
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.