News

IIS Security Patch Supplements SP2

Microsoft Corp. took the unusual step of issuing a mini-security pack for its IIS Web servers this week. The company recommends that users immediately apply the patch, which includes fixes for problems that aren't addressed in Windows 2000 Service Pack 2.

The security patch applies to Internet Information Server 4.0 and Internet Information Services 5.0. It includes fixes for three recently discovered vulnerabilities: code execution, denial of service and information disclosure.

The code execution vulnerability discovered by NSFocus also prompted CERT to issue an advisory this week rating the problem as "serious."

The new Microsoft patch also fixes memory leaks in two previous IIS patches and another problem in a third IIS patch.

In a departure from past practice, the patch rolls all post-Service Pack 5 patches delivered for IIS 4 and IIS 5 instead of just fixing the most recently discovered problems. The mini-security pack of sorts rolls together patches for IIS 4 from 22 previous security bulletins and patches for IIS 5 from 16 previous security bulletins. In total the patch rolls up fixes from 25 unique security bulletins.

This cumulative approach will be more common in the future, according to the company.

"As part of an ongoing effort to simplify the management of security patches, we will be deploying cumulative patches whenever feasible," the company said in its security bulletin describing the patch.

The new patch addresses all identified security vulnerabilities affecting IIS 5, including the recent dangerous vulnerability in Microsoft's implementation of the Internet Printing Protocol that could allow a user to take control of a Windows 2000 Server. That fix is also included in Windows 2000 SP2.

There are four identified vulnerabilities in IIS 4 from 1999 and 2000 that aren't included because they must be addressed through administrative action.

The new vulnerabilities fixed by the patch could:
* let an attacker execute operating system commands on a Web server via a superfluous decoding operation;
* enable an attacker to take down an FTP server;
* allow an attacker to gain access to a "poorly configured" network via FTP.

The patch can be installed on systems running Windows NT 4.0 SP5 or SP6a and systems running Windows 2000 with SP1, SP2 or no service pack.

The three new fixes and three old fixes Microsoft addressed this week with the mini-security pack will be included in Windows 2000 Service Pack 3, whenever that ships, and in the forthcoming security roll-up for Windows NT that Microsoft announced when it cancelled plans for a Windows NT 4 SP7.

Microsoft's security bulletin describing the patch roll-up with download links may be found here

Related Articles:
W2K SP2 Officially Released
W2K SP2 Technical Overview
Microsoft Kills SP7 for NT4
IIS 5 Vulnerability Could Allow Unauthorized Control of W2K

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.