What's this bulletin about?
Microsoft Security Bulletin MS00-063 announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Information Server (IIS). The vulnerability could allow a malicious user to prevent an affected web server from providing useful service. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could enable a malicious user to cause the IIS service on an affected web server to fail, thereby preventing the server from servicing requests for service.
This vulnerability does not provide the opportunity to compromise any data on the server or to usurp any administrative privileges on the server. In addition, an affected machine can be put back into useful service by restarting the IIS service.
What causes the vulnerability?
The vulnerability at issue here results from a flaw in Windows NT 4.0, but its effect is to cause IIS to mishandle a particular type of invalid URL under certain conditions. If an affected server received such an URL, it would cause the IIS service to fail.
What's the problem with URL at issue here?
If an invalid URL were sent to an affected server, it could under certain conditions cause the server to access invalid memory, thereby causing the IIS service to fail.
What would be result of the service failing?
If the IIS service failed, the server would be unable to respond to customers' requests for web pages, FTP services, and any other services provided by IIS.
How could an affected server be put back into service?
The server operator could restore service by restarting the IIS service. It would not be necessary to reboot the server.
Is Internet Information Server 5.0 affected?
No. IIS 5.0 handles URLs differently and is not affected.
Could this vulnerability be exploited accidentally?
No. The malformed URL at issue here could not be created by accident.
Should the patch be applied to any machines other than IIS servers?
Although the effect of the vulnerability manifests itself through IIS, the underlying problem actually lies within Windows NT 4.0. Microsoft engineers worked extensively to identify scenarios for exploiting the vulnerability directly through Windows NT 4.0, but did not find any - the only scenarios identified to date involve IIS. Nevertheless, it is possible that scenarios for exploiting the vulnerability through Windows NT 4.0 do exist, and as a result, we recommend that customers using Windows NT 4.0 consider applying the patch.
IIS is a server product. If a way were found to exploit this vulnerability via Windows NT 4.0, would it only affect servers?
No. Even though IIS is a server product, the underlying flaw is present in all versions of Windows NT 4.0 -- not just in Windows NT 4.0 Server. If it were possible to exploit the flaw through Windows NT 4.0, it could potentially affect Windows NT 4.0 workstations, servers and terminal servers.
Who should use the patch?
Microsoft recommends that customers using an affected version of IIS install the patch. In addition, as noted above, Microsoft recommends that customers using Windows NT 4.0 consider applying the patch.
What does the patch do?
The patch eliminates the flaw in Windows NT, which has the effect of causing IIS to correctly handle the malformed URL at issue.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
