Microsoft Security Bulletin MS00-025 - Critical
Procedure Available to Eliminate "Link View Server-Side Component" Vulnerability
Published: April 14, 2000 | Updated: April 17, 2000
April 14, 2000
Updated: April 17, 2000
On April 14, 2000, Microsoft issued the original version of this bulletin, to discuss a security vulnerability affecting several web server products. Shortly after publishing the bulletin, we learned of a new, separate vulnerability that increased the threat to users of these products. We updated the bulletin later on April 14, 2000, to advise customers of the new vulnerability, and noted that we would provide additional details when known. On April 17, 2000, we updated the bulletin again to provide those details.
A procedure is available to eliminate a security vulnerability that could allow a malicious user to cause a web server to crash, or potentially run arbitrary code on the server, if certain permissions have been changed from their default settings to inappropriate ones. Although this bulletin has been updated several times as the investigation of this issue has progressed, the remediation steps have always remained the same - customers running affected web servers should delete the affected file, Dvwssr.dll. Customers who have done this at any point in the past do not need to take any further action.
Frequently asked questions regarding this vulnerability and the procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.mspx
Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash, or could allow arbitrary code to run on the server in a System context.
By default, the affected component, Dvwssr.dll, resides in a folder whose permissions only allow web authors to execute it. Under these conditions, only a person with web author privileges could exploit the vulnerability - but a web author already has the ability to upload and execute code of his choice, so this case represents little additional threat. However, if the permissions on the folder were set inappropriately, or the .dll were copied to a folder with lower permissions, it could be possible for other users to execute the component and exploit the vulnerability.
Affected Software Versions
The affected component is part of Visual Interdev 1.0. However, it is a server-side component, and is included in the following products
- Microsoft® Windows NT® 4.0 Option Pack, which is the primary distribution mechanism for Internet Information Server 4.0
- Personal Web Server 4.0, which ships as part of Windows® 95 and 98
- Front Page 98 Server Extensions, which ships as part of Front Page 98.
- Windows 2000 is not affected by this vulnerability. Upgrading from an affected Windows NT 4.0 to Windows 2000 removes the vulnerability
- Installing Office 2000 Server Extensions on an affected server removes this vulnerability.
- Installing FrontPage 2000 Server Extensions on an affected server removes this vulnerability.
To eliminate this vulnerability, customers who are hosting web sites using any of the affected products should delete all copies of the file Dvwssr.dll from their servers. The FAQ provides step-by-step instructions for doing this. The only functionality lost by deleting the file is the ability to generate link views of .asp pages using Visual Interdev 1.0.
Vulnerability Identifier: CVE-2000-0260
Please see the following references for more information related to this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-025
- Microsoft Knowledge Base article 259799 discusses this issue and will be available soon.
- Microsoft TechNet Security web site
Obtaining Support on this Issue
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
- April 14, 2000: Bulletin Created.
- April 14, 2000: Bulletin updated to provide preliminary results of investigation of buffer overrun vulnerability
- April 17, 2000: Bulletin updated to provide final results of investigation.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00