Microsoft Security Bulletin MS00-025
Procedure Available to Eliminate "Link View Server-Side Component" Vulnerability
Originally Posted: April 14, 2000
Updated: April 17, 2000
On April 14, 2000, Microsoft issued the original version of this bulletin, to discuss a security vulnerability affecting several web server products. Shortly after publishing the bulletin, we learned of a new, separate vulnerability that increased the threat to users of these products. We updated the bulletin later on April 14, 2000, to advise customers of the new vulnerability, and noted that we would provide additional details when known. On April 17, 2000, we updated the bulletin again to provide those details.
A procedure is available to eliminate a security vulnerability that could allow a malicious user to cause a web server to crash, or potentially run arbitrary code on the server, if certain permissions have been changed from their default settings to inappropriate ones. Although this bulletin has been updated several times as the investigation of this issue has progressed, the remediation steps have always remained the same - customers running affected web servers should delete the affected file, Dvwssr.dll. Customers who have done this at any point in the past do not need to take any further action.
Frequently asked questions regarding this vulnerability and the procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.mspx
Please see the following references for more information related to this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-025
- Microsoft Knowledge Base article 259799 discusses this issue and will be available soon.
- Microsoft TechNet Security web site
Obtaining Support on this Issue
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
- April 14, 2000: Bulletin Created.
- April 14, 2000: Bulletin updated to provide preliminary results of investigation of buffer overrun vulnerability
- April 17, 2000: Bulletin updated to provide final results of investigation.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.