Security Bulletin
Microsoft Security Bulletin MS00-063 - Important
Patch Available for 'Invalid URL' Vulnerability
Published: September 05, 2000
Version: 1.0
Originally posted: September 05, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Server (IIS). The vulnerability could enable a malicious user to prevent an affected web server from providing useful service.
Affected Software:
- Microsoft Internet Information Server 4.0
Note: As noted above in "Issue", the root cause of this vulnerability lies in Windows NT 4.0, and Microsoft recommends that customers using Windows NT 4.0 consider applying the patch.
Vulnerability Identifier: CVE-2000-0858
General Information
Technical details
Technical description:
If an affected web server received a particular type of invalid URL, it could, under certain conditions, start a chain of events that would culminate in an invalid memory request that would cause the IIS service to fail. This would prevent the server from providing web services.
This vulnerability does not provide the opportunity to compromise any data on the server or to usurp any administrative privileges on the server. An affected machine could be put back into service by restarting the IIS service.
Although the effect of the vulnerability manifests itself through IIS, the underlying problem actually lies within Windows NT 4.0. Microsoft engineers worked extensively to identify scenarios for exploiting the vulnerability directly through Windows NT 4.0, but did not find any - the only scenarios identified to date involve IIS. Nevertheless, it is possible that scenarios for exploiting the vulnerability through Windows NT 4.0 do exist, and as a result, we recommend that customers using Windows NT 4.0 consider applying the patch.
Frequently asked questions
What's this bulletin about?
Microsoft Security Bulletin MS00-063 announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Information Server (IIS). The vulnerability could allow a malicious user to prevent an affected web server from providing useful service. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could enable a malicious user to cause the IIS service on an affected web server to fail, thereby preventing the server from servicing requests for service.
This vulnerability does not provide the opportunity to compromise any data on the server or to usurp any administrative privileges on the server. In addition, an affected machine can be put back into useful service by restarting the IIS service.
What causes the vulnerability?
The vulnerability at issue here results from a flaw in Windows NT 4.0, but its effect is to cause IIS to mishandle a particular type of invalid URL under certain conditions. If an affected server received such an URL, it would cause the IIS service to fail.
What's the problem with URL at issue here?
If an invalid URL were sent to an affected server, it could under certain conditions cause the server to access invalid memory, thereby causing the IIS service to fail.
What would be result of the service failing?
If the IIS service failed, the server would be unable to respond to customers' requests for web pages, FTP services, and any other services provided by IIS.
How could an affected server be put back into service?
The server operator could restore service by restarting the IIS service. It would not be necessary to reboot the server.
Is Internet Information Server 5.0 affected?
No. IIS 5.0 handles URLs differently and is not affected.
Could this vulnerability be exploited accidentally?
No. The malformed URL at issue here could not be created by accident.
Should the patch be applied to any machines other than IIS servers?
Although the effect of the vulnerability manifests itself through IIS, the underlying problem actually lies within Windows NT 4.0. Microsoft engineers worked extensively to identify scenarios for exploiting the vulnerability directly through Windows NT 4.0, but did not find any - the only scenarios identified to date involve IIS. Nevertheless, it is possible that scenarios for exploiting the vulnerability through Windows NT 4.0 do exist, and as a result, we recommend that customers using Windows NT 4.0 consider applying the patch.
IIS is a server product. If a way were found to exploit this vulnerability via Windows NT 4.0, would it only affect servers?
No. Even though IIS is a server product, the underlying flaw is present in all versions of Windows NT 4.0 -- not just in Windows NT 4.0 Server. If it were possible to exploit the flaw through Windows NT 4.0, it could potentially affect Windows NT 4.0 workstations, servers and terminal servers.
Who should use the patch?
Microsoft recommends that customers using an affected version of IIS install the patch. In addition, as noted above, Microsoft recommends that customers using Windows NT 4.0 consider applying the patch.
What does the patch do?
The patch eliminates the flaw in Windows NT, which has the effect of causing IIS to correctly handle the malformed URL at issue.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Patch availability
Download locations for this patch
- Microsoft Windows NT 4.0 Workstation, Server and Server, Enterprise Edition:
https://www.microsoft.com/download/details.aspx?FamilyId=B2A1FED4-F251-4233-B911-22C4DD81438E&displaylang;=en
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q271652, https:
Other information:
Acknowledgments
Microsoft thanks Peter Grundl of VIGILANTe (https://www.vigilante.com)for reporting this issue to us and working with us to protect customers.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at </https:>https:.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- September 05, 2000: Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00 </https:>