IIS Security Hole Found
- By Scott Bekker
- June 18, 1999
A security hole was found in Microsoft Corp.’s Internet Information Server 4.0 through which hackers can gain access to credit card numbers and other personal information over the Internet.
An advisory by the Computer Emergency Report Team at Carnegie Mellon Universtiy (www.cert.org) states that: A buffer overflow vulnerability affecting Microsoft Internet Information Server 4.0 has been discovered in the ISM.DLL library. According to Microsoft, ISM.DLL is the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords.
To add insult to injury, a tool to exploit this vulnerability has been publicly released by eEye (www.eeye.com), a maker of security software that claims to have reported the defect to Microsoft last week.
Microsoft has released a temporary patch to stop hackers from attacking Web sites and claims a permanent fix is on the way. The patch can be found at: www.microsoft.com/security/bulletins/ms99-019.asp. --Thomas Sullivan
Scott Bekker is editor in chief of Redmond Channel Partner magazine.