Microsoft Security Bulletin MS00-060 - Critical
Patch Available for 'IIS Cross-Site Scripting' Vulnerabilities
Published: August 25, 2000 | Updated: May 18, 2003
Originally posted: August 25, 2000
Updated: May 18, 2003
On August 25, 2000, Microsoft released the original version of this bulletin, to advise customers of the availability of a patch that eliminates a vulnerability in Microsoft® Internet Information Server. However, an additional variant of the vulnerability was subsequently identified, and on November 2, 2000, the bulletin was updated to advise customers of the availability of an updated patch.
The scope of the new vulnerability is exactly the same as that of the originally-reported one. The updated patch eliminates all known variants of the vulnerability. Customers who applied the original version of the patch should apply the new version to ensure that they are fully protected.
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
- Cross-Site Scripting Vulnerabilities: CAN-2000-0746
- Cross-Site Scripting Variant Vulnerability: CAN-2000-1104
On February 20, 2000, Microsoft and CERT published information on a newly-identified security vulnerability affecting all web server products. This vulnerability, known as Cross-Site Scripting (CSS), results when web applications don't properly validate inputs before using them in dynamic web pages. If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use the vulnerability to "inject" script into a web page created by the other web site, which would then be delivered to the user. The net effect would be to cause the malicious user's script to run on the user's machine using the trust afforded the other site.
The vulnerability can affect any software that runs on a web server, accepts user input, and blindly uses it to generate web pages. Microsoft recommended that all vendors check their products to see if any are affected by the vulnerability, and initiated a check of its own products as well. Several features in IIS were found to be affected - some were found by Microsoft internal teams, and others were identified by customers - and this patch eliminates all of them.
What's this bulletin about?
On August 25, 2000, Microsoft released the original version of Microsoft Security Bulletin MS00-060, to announce the availability of a patch that eliminates vulnerabilities in Microsoft® Internet Information Server. After releasing the bulletin, an additional variant of the same vulnerability was identified, and we have updated the patch to protect against both the original vulnerability and the new variant.
What's the scope of the vulnerability?
The original vulnerability and the new variant have exactly the same scope. Both vulnerabilities could enable a malicious user to cause code to run on the machine of another user in the guise of a third-party web site. Such code could take any action on the user's computer that the third-party web site was permitted to take. In addition, the code could be made persistent, so that if the user returned to the web site again in the future, the code would begin running again.
The vulnerability could only be exploited if the user clicked on a hypertext link, either in an HTML mail or on a malicious user's web site - the code could not be "injected" into an existing session. The patch provided in the bulletin should be applied by web server administrators, to prevent their sites from being used as the third-party site discussed above. The current version of the patch protects against both the original vulnerability and the new variant.
What causes the vulnerability?
Certain web services provided by IIS don't properly validate all inputs before using them, and are consequently vulnerable to Cross-Site Scripting (CSS).
What's Cross-Site Scripting?
CSS is a recently-discovered security vulnerability that potentially enables a malicious user to "inject" code into a user's session with a web site. Unlike most security vulnerabilities, CSS doesn't apply to any single vendor's products - instead, it can affect any software that runs on a web server and doesn't follow defensive programming practices. In early 2000, Microsoft and CERT worked together to inform the software industry of the issue and lead an industry-wide response to it.
Microsoft published extensive information about CSS, including information for developers on how to check their code for potential vulnerabilities. Microsoft has identified several places in IIS where proper checking was not performed - some of these were found by our internal security teams, and others were identified by customers. The patch provided in the bulletin eliminates these flaws.
How does CSS work?
A good description is available in the form of an executive summary and a FAQ. However, at a high level of detail, here's how CSS works.
Suppose Web Site A offers a search feature that lets a user type a word or phrase he'd like to search for. If the user typed "banana" in as the search phrase, the site would search for the phrase, then generate a web page saying "I'm sorry, but I can't find the word 'banana'". It would send the web page to his browser, which would then parse the page and display it.
Now suppose that, instead of entering "banana" as the search phrase, he entered something like "banana ‹SCRIPT› ‹Alert('Hello');› ‹/SCRIPT›". If the search feature were written to blindly use whatever search phrase it's provided, it would search for the entire string, and create a web page saying "I'm sorry, but I can't find the word "banana ‹SCRIPT› ‹Alert('Hello');› ‹/SCRIPT›"". However, all of the text beginning with "‹SCRIPT›" and ending with "‹/SCRIPT›" is actually program code, so when the page was processed, a dialogue box would be displayed by the user's browser, saying "Hello".
So far, this example has only shown how a user could "relay" code off a web server and make it run on his own machine. That's not a security vulnerability. However, it's possible for a malicious web site operator to invoke this vulnerability to run on the computer of a user who visits his site. If Web Site B were operated by a malicious user and he was able to entice the user into visiting his web site and clicking a hyperlink, his site could go to Web Site A, fill in the search page with malicious script, and submit it on behalf of the user. The resulting page would return to the user (since the user, having clicked on the hyperlink, was ultimately the requester), and process on the user's machine. The end result would be that the malicious user's script would run on the user's machine.
What could the script do on the user's machine?
It would depend on the privileges Web Site A has on the user's machine. If both Web Site A and B had exactly the same permissions on a particular user's machine, it wouldn't confer any advantages. However, if the user had designated Web Site A as a trusted site, and allowed it to have greater privileges on his machine, the malicious user's code could take advantage of these increased privileges.
Would it matter what browser the user was using?
No. The important point here is that the problem lies with the software on the web server, not with the browser. The vulnerability could potentially occur anytime software on the web server blindly uses whatever inputs it's provided. Instead, it should filter out any inputs that aren't appropriate. In the example above, the search engine should strip out any characters that could be used to inject script into the search process, such as "". A full description of the characters that should be filtered is available in Knowledge Base article 252985.
I run a web site. In the example above, which web site would be mine?
Your web site would be Web Site A. The vulnerability wouldn't directly pose a threat to your web site - that is, the malicious user wouldn't seek to compromise your site, and the vulnerability wouldn't allow him to add, change or delete any content on it. However, he could use your site as a means of attacking users.
So, this patch needs to be installed on servers, not on browsers?
Yes. Customers using an affected product should install the patch to prevent their web site from being used in a CSS scenario.
What about the other software running on my web server? Could it be used for CSS?
Any software running on a web server could be vulnerable to CSS if it:
- solicits input from the user
- uses the input blindly, without performing validity checks, and
- incorporates the input into a dynamic web page that's sent to the user
Microsoft recommends that customers running web sites contact the suppliers of all software running on their servers, and verify that the vendor has reviewed it for CSS vulnerabilities.
Who should use the patch?
Microsoft recommends that the patch be installed on any web server that uses an affected product to generate dynamic web pages. Please note that static web pages cannot be used for CSS, so customers whose servers only supply static content would not need to apply the patch.
What does the patch do?
The patch eliminates all known CSS vulnerabilities in IIS, and ensures that proper validity checking is performed by all IIS features.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued two Knowledge Base articles 260347 and 275657 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Internet Information Server 4.0:
- Internet Information Server 5.0:
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Information on Cross-Site Scripting Security Vulnerability, http://www.microsoft.com/technet/archive/security/news/crssite.mspx.
- CERT® Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests, http://www.cert.org/advisories/CA-2000-02.html
- IIS 4 - Microsoft Knowledge Base (KB) article 260347, http://support.microsoft.com/default.aspx?scid=kb;en-us;260347
- IIS 5 - Microsoft Knowledge Base (KB) article 275657, http://support.microsoft.com/default.aspx?scid=kb;en-us;275657
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- August 25, 2000: Bulletin Created.
- November 2, 2000: Bulletin updated to announce availability of a patch to eliminate a new variant of this issue.
- V2.0 (May 18, 2003): Introduced versioning and updated links to information on Cross-Site Scripting and Knowledge Base articles.
Built at 2014-04-18T13:49:36Z-07:00