Microsoft KB Archive/327696

= MS02-062: October 2002 Cumulative Patch for Internet Information Services =

Article ID: 327696

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q327696



SYMPTOMS
Microsoft has released a cumulative patch for Internet Information Server (IIS) 4.0, Internet Information Services (IIS) 5.0, and IIS 5.1 that includes updates for the issues that are described in the following Microsoft Knowledge Base articles:

321599 MS02-028: Heap overrun in HTR chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

This patch includes not only previously released security patches, but also fixes for the following newly discovered security vulnerabilities that affect IIS 4.0, 5.0, and 5.1:
 * A privilege elevation vulnerability that affects the way ISAPIs are started when an IIS 4.0, 5.0, or 5.1 server is configured to run them out of process. By design, the hosting process (Dllhost.exe) runs only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise.
 * A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request is malformed in a particular way, IIS allocates an extremely large amount of memory on the server. By sending several such requests, an attacker can cause the server to fail.
 * A vulnerability that involves the operation of the script source access permission in IIS 5.0. This permission operates in addition to the typical read/write permissions for a virtual directory, and regulates whether scripts, .ASP files, and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types that are subject to this permission omits .COM files from the list of files subject to the permission. As a result, a user needs only write access to upload such a file.
 * A pair of Cross-Site Scripting (CSS) vulnerabilities that affect IIS 4.0, 5.0, and 5.1, and involve the administrative Web page. Each of these vulnerabilities has the same scope and effect: when a user clicks a link on an attacker's Web site, the attacker can relay a request that contains script to a third-party Web site that is running IIS, thereby causing the third-party site's response (which still includes the script) to be sent to the user. The script then renders using the security settings of the third-party site instead of the attacker's site.

Additionally, the patch causes IIS 5.0 and 5.1 to change how frequently the socket backlog list - which, when all connections on a server are allocated, holds the list of pending connection requests - is cleared. The patch changes IIS to clear the list more frequently to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0.

Note These patches do not include fixes for vulnerabilities involving non-IIS products, such as the Microsoft FrontPage Server Extensions and Microsoft Index Server, although these products are closely associated with IIS and are typically installed on IIS servers. There is, however, one exception. The fix for the vulnerability that affects Index Server, which is discussed in Microsoft Security Bulletin MS01-033, is included in this patch because of the seriousness of the issue for IIS servers. At the time that this article was written, the Microsoft Security Bulletins that discuss these vulnerabilities are as follows:

Microsoft Security Bulletin MS01-043

Microsoft Security Bulletin MS01-025

Microsoft Security Bulletin MS00-084

Microsoft Security Bulletin MS00-018

Microsoft Security Bulletin MS00-006

All the previously listed fixes and cumulative patches are included in Windows 2000 Service Pack 3. For additional information about the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Note The fixes for the following vulnerabilities that affect IIS 4.0 are not included in the patch because they require administrative action instead of a software change. Administrators must make sure that they not only apply this patch, but also take the administrative action that is described in the following bulletins:

Microsoft Security Bulletin MS00-028

Microsoft Security Bulletin MS00-025

Microsoft Security Bulletin MS99-025 (which discusses the same issue as Microsoft Security Bulletin MS98-004)

Microsoft Security Bulletin MS99-013



Windows XP service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows 2000 service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Hotfix information

 * Internet Information Services 5.1
 * Internet Information Services 5.0
 * Internet Information Server 4.0

Internet Information Services 5.1
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download information
The following files are available for download from the Microsoft Download Center:

Windows XP Professional

English (US): Download the Q327696 package now

Arabic: Download the Q327696 package now

Chinese (Simplified): Download the Q327696 package now

Chinese (Traditional): Download the Q327696 package now

Czech: Download the Q327696 package now

Danish: Download the Q327696 package now

Dutch: Download the Q327696 package now

Finnish: Download the Q327696 package now

French: Download the Q327696 package now

German: Download the Q327696 package now

Greek: Download the Q327696 package now

Hebrew: Download the Q327696 package now

Hungarian: Download the Q327696 package now

Italian: Download the Q327696 package now

Japanese: Download the Q327696 package now

Korean: Download the Q327696 package now

Norwegian: Download the Q327696 package now

Polish: Download the Q327696 package now

Portuguese: Download the Q327696 package now

Portuguese (Brazil): Download the Q327696 package now

Russian: Download the Q327696 package now

Spanish: Download the Q327696 package now

Swedish: Download the Q327696 package now

Turkish: Download the Q327696 package now

Windows XP 64-Bit Edition

English (US): Download the Q327696 package now

French: Download the Q327696 package now

German: Download the Q327696 package now

Japanese: Download the Q327696 package now

Release Date: October 30, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation information
If a dialog box appears that states you must restart your computer after you apply this update, you can safely ignore it. This update supports the following Setup switches:
 * /? Display the list of installation switches.
 * /u Unattended mode.
 * /f Force other programs to quit when the computer shuts down.
 * /n Do not back up files for removal.
 * /o Overwrite OEM files without prompting.
 * /z Do not restart when installation is complete.
 * /q Quiet mode (no user interaction).
 * /l List installed hotfixes.
 * /x Extracts the files without running Setup.

For example, the following command line installs the update without any user intervention and then does not force the computer to restart:

q329834_wxp_sp2_x86_enu /q /m /z

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Professional

The following files are installed in the %WINDIR%\System32\inetsrv folder:   Date         Time   Version        Size     File name 25-Sep-2002 14:46  5.1.2600.1125  339,456  Asp51.dll 25-Sep-2002 14:46  5.1.2600.1125  117,248  Ftpsv251.dll 25-Sep-2002 14:46  6.0.2600.1125  240,640  Httpext.dll 25-Sep-2002 14:46  5.1.2600.1125   54,272  Httpod51.dll 25-Sep-2002 14:46  6.0.2600.1125  240,640  Infocomm.dll 25-Sep-2002 14:46  6.0.2600.1125   65,024  Isatq.dll 25-Sep-2002 14:46  5.1.2600.1125   40,448  Ssinc51.dll 25-Sep-2002 14:46  5.1.2600.1125  339,456  W3svc.dll The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder:   Date         Time   Size    File name ---  08-Aug-2002  14:31   2,411  Default.asp 08-Aug-2002 14:31  19,224  Query.asp 08-Aug-2002 14:31   6,527  Search.asp Windows XP 64-Bit Edition

The following files are installed in the %WINDIR%\System32\inetsrv folder:   Date         Time   Version        Size       File name --  25-Sep-2002  14:47  5.1.2600.1125  1,052,672  Asp51.dll 25-Sep-2002 14:47  5.1.2600.1125    289,792  Ftpsv251.dll 25-Sep-2002 14:47  6.0.2600.1125    934,400  Httpext.dll 25-Sep-2002 14:47  5.1.2600.1125    142,848  Httpod51.dll 25-Sep-2002 14:47  6.0.2600.1125    667,648  Infocomm.dll 25-Sep-2002 14:47  6.0.2600.1125    186,368  Isatq.dll 25-Sep-2002 14:47  5.1.2600.1125     96,768  Ssinc51.dll 25-Sep-2002 14:47  5.1.2600.1125    916,480  W3svc.dll The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder:   Date         Time   Size    File name ---  08-Aug-2002  14:32   2,411  Default.asp 08-Aug-2002 14:32  19,224  Query.asp 08-Aug-2002 14:32   6,527  Search.asp

back to the top

Internet Information Services 5.0
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download information
The following files are available for download from the Microsoft Download Center:

English Language Version

Arabic Language Version

Chinese (Simplified) Language Version

Chinese (Traditional) Language Version

Czech Language Version

Danish Language Version

Dutch Language Version

Finnish Language Version

French Language Version

German Language Version

Greek Language Version

Hebrew Language Version

Hungarian Language Version

Italian Language Version

Japanese Language Version

Japanese NEC Language Version

Korean Language Version

Norwegian Language Version

Polish Language Version

Portuguese (Brazilian) Language Version

Portuguese Language Version

Russian Language Version

Spanish Language Version

Swedish Language Version

Turkish Language Version

Release Date: October 30, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation information
Because of file dependencies, this update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Customers who use Site Server must be aware that a previously documented issue that involves intermittent authentication errors affects this and a small number of other patches. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

317815 Site Server logon problems occur after you apply certain Windows 2000 hotfixes

You do not have to restart your computer after you apply this update. This update supports the following Setup switches:
 * /? Display the list of installation switches.
 * /u Unattended mode.
 * /f Force other programs to quit when the computer shuts down.
 * /n Do not back up files for removal.
 * /o Overwrite OEM files without prompting.
 * /z Do not restart when installation is complete.
 * /q Quiet mode (no user interaction).
 * /l List installed hotfixes.
 * /x Extracts the files without running Setup.

For example, the following command line installs the update without any user intervention and then does not force the computer to restart:

q327696_w2k_sp4_x86_en /q /m /z

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %Windir%\System32\ folder:   Date         Time   Version        Size     File name 17-Sep-2002 15:40  5.0.2195.6048  245,520  Adsiis.dll 17-Sep-2002 15:40  5.0.2195.5255    8,464  Ftpctrs2.dll 17-Sep-2002 15:40  5.0.2195.5617  122,128  Idq.dll 17-Sep-2002 15:40  5.0.2195.5991   13,584  Infoadmn.dll 17-Sep-2002 15:40  5.0.2195.5255  122,640  Iisrtl.dll 17-Sep-2002 15:40  5.0.2195.5807   76,560  Msw3prt.dll 17-Sep-2002 15:40  5.0.2195.5255    7,440  W3ctrs.dll The following file is installed in the Program files\Microsoft Shared\Web Server Extensions\40\bin folder:   Date         Time   Version        Size     File name ---  16-Aug-2002  14:47  4.0.2.4701     593,976  Fp4autl.dll The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder:   Date         Time   Size    File name ---  22-Mar-2002  18:15   2,413  Default.asp 22-Mar-2002 18:15  19,178  Query.asp 22-Mar-2002 18:15   5,571  Search.asp The following files are installed in the %Windir%\System32\inetsrv folder:   Date         Time   Version        Size     File name 17-Sep-2002 15:40  5.0.2195.6048  333,584  Asp.dll 17-Sep-2002 15:40  5.0.2195.3649  299,792  Fscfg.dll 17-Sep-2002 15:40  5.0.2195.5255    6,416  Ftpmib.dll 17-Sep-2002 15:40  5.0.2195.5675  117,008  Ftpsvc2.dll 17-Sep-2002 15:40  5.0.2195.6035  246,032  Httpext.dll 17-Sep-2002 15:40  5.0.2195.5255    9,488  Httpmib.dll 17-Sep-2002 15:40  5.0.2195.5663   56,592  Httpodbc.dll 17-Sep-2002 15:40  5.0.2195.5991   78,608  Iislog.dll 17-Sep-2002 15:40  5.0.2195.5991  246,544  Infocomm.dll 17-Sep-2002 15:40  5.0.2195.6036   62,736  Isatq.dll 17-Sep-2002 15:40  5.0.2195.5671   46,352  Ism.dll 17-Sep-2002 15:40  5.0.2195.5255   26,896  Mdsync.dll 17-Sep-2002 15:40  5.0.2195.5255   41,232  Ssinc.dll 17-Sep-2002 15:40  5.0.2195.5995  349,456  W3svc.dll 17-Sep-2002 15:40  5.0.2195.5995   72,976  Wam.dll

back to the top

Internet Information Server 4.0
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. Before you apply this update, back up your metabase. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

300675 How to create a metabase backup by using Internet Information Server 4.0 in Windows NT

Download information
The following file is available for download from the Microsoft Download Center:

Download the Q327696 package now.

Release Date: October 30, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation information
This update requires Windows NT 4.0 Service Pack 6a. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

To install this patch without restarting your computer, follow these steps:
 * 1) Stop all IIS services.
 * 2) Install the patch with the hotfix with the /z switch.
 * 3) Restart the IIS services.

This update supports the following Setup switches:
 * /x Extract the files for later installation
 * /y Perform uninstall (only with /m or /q)
 * /f Force apps closed at shutdown
 * /n Do not create uninstall directory
 * /z Do not restart when update completes
 * /q Quiet Mode -- no user interface
 * /m Unattended mode
 * /l List installed hotfixes

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %WINDIR%\System32\inetsrv\ folder (unless otherwise noted):   Date         Time   Version     Size     File name 28-Aug-2002 20:09  4.2.780.1   214,544  %WINDIR%\System32\Adsiis.dll 28-Aug-2002 20:10  4.2.780.1   331,200  Asp.dll 28-Aug-2002 20:09  4.2.780.1    81,888  Ftpsvc2.dll 28-Aug-2002 20:09  4.2.780.1    55,392  Httpodbc.dll 13-Jul-2001 21:14  5.0.1782.4  193,296  %WINDIR%\System32\Idq.dll 28-Aug-2002 20:08  4.2.780.1    63,984  Iislog.dll 28-Aug-2002 20:08  4.2.780.1   185,792  Infocomm.dll 28-Aug-2002 20:08  4.2.780.1    29,520  Iscomlog.dll 28-Aug-2002 20:12  4.2.780.1    54,560  Ism.dll 28-Aug-2002 20:10  4.2.780.1    31,872  Mdsync.dll 28-Aug-2002 20:09  4.2.780.1    38,256  Ssinc.dll 28-Aug-2002 20:09  4.2.780.1    25,360  Sspifilt.dll 28-Aug-2002 20:09  4.2.780.1   231,104  W3svc.dll 28-Aug-2002 20:08  4.2.780.1    88,032  Wam.dll Note Because of file dependencies, this update may contain additional files.

Windows NT Server 4.0, Terminal Server Edition Internet Information Server 4.0 is part of the Windows NT 4.0 Option Pack. The Option Pack is not supported on Windows NT Server 4.0, Terminal Server Edition. Patches for IIS 4.0 have been provided as part of the Windows NT Server 4.0, Terminal Server Edition Security Rollup Package (SRP) only for customers who have installed the Option Pack to protect their computers during the migration to a supported operating system. For additional information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:

317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package

back to the top



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Microsoft Windows XP Service Pack 2. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-062.mspx

Additional query words: security_patch

Keywords: kbwinxpsp2fix kbwin2ksp4fix kbbug kbfix kbqfe kbsecbulletin kbsecurity kbsecvulnerability kbwin2000presp4fix kbwinxppresp2fix KB327696

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.