Microsoft Security Bulletin MS00-100

Technical description:

The FrontPage Server Extensions (FPSE) ship with and are installed by default as part of IIS 4.0 and 5.0. The most familiar FPSE functions allow web site and content management; however, FPSE also provides browse-time support functions. Among the functions included in the latter category are ones that help process web forms that have been submitted by a user. A vulnerability exists in one of these functions. If a malicious user levied a specially-malformed form submission to an affected server, it would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FPSE administrative or content management functions.

To resume normal operation on an IIS 4.0 server, the operator would need to restart the service. In contrast, if an IIS 5.0 server were attacked via this vulnerability, the IIS service would, by default, automatically restart almost immediately. Although any web sessions that were in progress at the time of the attack would be lost, the server would be able to accept new connections as soon as the service was restarted. FPSE is installed by default as part of IIS 4.0 and 5.0, but, in keeping with best practices, Microsoft recommends that they be disabled if not needed.

What's this bulletin about?
Microsoft Security Bulletin MS00-100 announces the availability of a patch that eliminates a vulnerability in a component that ships as part of Microsoft® Internet Information Server. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a specially-malformed form submission to an affected server, it would be possible for a malicious user to disrupt the server's operation.
The extent of the disruption would depend on the version of IIS in use on the server. If an IIS 4.0 server were successfully attacked via this vulnerability, the server operator would need to take action to restore service; an IIS 5.0 server would automatically restore service, but any web sessions that had been in progress at the time of the attack would be interrupted.

What causes the vulnerability?
A component of FrontPage Server Extensions (FPSE) that handles web forms doesn't adequately validate its input before using it. By sending a malformed form submission, it would be possible to cause the IIS service to fail.

Is this a vulnerability in FrontPage?
No. FrontPage and FrontPage Server Extensions are two completely different products. The most obvious difference is where the products run. FrontPage runs on a client machine, like a laptop or workstation; FPSE runs on the web server itself. Although FPSE has features that support FrontPage users, it also has features that aren't related in any way to FrontPage.

What are FrontPage Server Extensions?
FPSE is a set of programs that are included with IIS 4.0 and 5.0, and which aid in managing and developing content for a web site. FPSE's functionality can be divided broadly into two categories:

• Content management and administration tools. FPSE provides features that let administrators use FrontPage to remotely manage their web sites, or allow web developers using FrontPage to remotely add or modify the web pages on a site.
• Browse-time support. FPSE also includes functions that provide functionality commonly needed by web applications. For example, FPSE provides a component that can be incorporated into a web page to enable the user to search the site. This saves web developers from needing to write code to perform common functions.

Is this a vulnerability in IIS?
No. Although FPSE is included with IIS 4.0 and 5.0, the problem has nothing to do with these products per se. The problem lies entirely within FPSE.

Does the problem lie in the FPSE content management and administration functions, or in the browse-time support functions?
The problem lies in one of the browse-time support functions. Specifically, the problem lies in one of the browse-time functions that provides support for processing of web forms. If a form were submitted in a particular way, it would disrupt service on the web server.

What do you mean when you say that exploiting the vulnerability would "disrupt service"?
The effect of the exploiting the vulnerability would differ depending on whether the server was running IIS 4.0 or 5.0. In either case, though, it would interrupt service on the server.

• On an IIS 4.0 machine, exploiting the vulnerability would cause the IIS service to fail. The operator would need to restart it in order to resume normal operation.
• On an IIS 5.0 machine, exploiting the vulnerability would cause the service to fail, but it would automatically restart itself almost immediately. Any web sessions that were underway at the time of the attack would be lost, but the server would be able to start new sessions.

Is FPSE installed by default on IIS servers?
Yes, but you can remove FPSE if you'd like. Security best practices recommend always disabling any services that aren't needed, so customers who aren't using the FPSE functionality may wish to remove it. To do this, open a command prompt and issue the following commands:

• cd \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin
• fpsrvadm -o uninstall -p all

Could this vulnerability be used to add new content to a web site or to gain administrative control over it?
No. It's strictly a denial of service vulnerability.

Could someone exploit this vulnerability accidentally while using a web form?
No. To exploit the vulnerability, a malicious user would need to deliberately create a specially-malformed form submission request, and then send it to an affected server. The malformation does not occur in normal use.

I don't host any forms on my web site, but I do have FPSE installed. Could I be affected by the vulnerability?
Yes. As long as FPSE is installed on the web server, the vulnerability could be exploited.

Who should use the patch?
Microsoft recommends that all users running an affected IIS server consider installing the patch.

What does the patch do?
The patch eliminates the vulnerability by rejecting the malformed form submission. This is appropriate, as the form submission that exploits this vulnerability is an invalid one.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• Microsoft IIS 5.0: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CC3EF9-90F3-4B2B-9503-323738C1A1E9&displaylang=en
• Microsoft IIS 4.0:http://download.microsoft.com/download/winntsrv40/Patch/q280322/NT4/EN-US/Q280322i.EXE

  Note: The IIS 5.0 patch can be applied atop system running either Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 2.

  Note: The IIS 4.0 patch can be applied atop system running Windows NT 4.0 Service Pack 6a or 5. It will be included in Windows NT 4.0 Service Pack 7.

  Note: Both the IIS 4.0 and 5.0 patches can be applied on systems on which FPSE Service Release 1.2 has been installed. The fix will be included in the next FPSE service release.

  Note: IIS users who have removed the FPSE are not affected by this vulnerability and do not need to take further action.