Microsoft KB Archive/917537

= MS06-034: Vulnerability in Internet Information Services that use Active Server Pages could allow remote code execution =

Article ID: 917537

Article Last Modified on 12/3/2007

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition</li></ul>

 Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul> </li> Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)</li> Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)</li> Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li> Microsoft Windows Server 2003, Web Edition</li> Microsoft Windows Server 2003, Datacenter x64 Edition</li> Microsoft Windows Server 2003, Enterprise x64 Edition</li> Microsoft Windows Server 2003, Standard x64 Edition</li> Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li> Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li> Microsoft Windows XP Service Pack 2, when used with:  Microsoft Windows XP Professional</li></ul> </li> <li>Microsoft Windows XP Service Pack 1, when used with: <ul> <li>Microsoft Windows XP Professional</li></ul> </li> <li>Microsoft Windows XP Professional x64 Edition</li> <li>Microsoft Windows 2000 Service Pack 4, when used with: <ul> <li>Microsoft Windows 2000 Advanced Server</li></ul>

<ul> <li>Microsoft Windows 2000 Datacenter Server</li></ul>

<ul> <li>Microsoft Windows 2000 Professional Edition</li></ul>

<ul> <li>Microsoft Windows 2000 Server</li></ul> </li> <li>Microsoft Internet Information Services 6.0</li> <li>Microsoft Internet Information Services 5.1</li> <li>Microsoft Internet Information Services 5.0</li></ul>

-

<div class="notice_section">

<div class="summary_section">

Microsoft has released security bulletin MS06-034. The security bulletin contains all the relevant information about the security update. This includes file manifest information and deployment options. To view the complete security bulletin, visit the following Microsoft Web site: <ul> <li>Home users:

http://www.microsoft.com/athome/security/update/bulletins/200606.mspx

</li> <li>IT professionals:

http://www.microsoft.com/technet/security/bulletin/ms06-034.mspx

</li></ul>

<div class="moreinformation_section">

Symptoms
Users may experience an issue where the MS06-034 security update appears to install correctly, but is then reoffered by Auto Update or Windows Update. This occurs because of an issue with the way that Windows Update determines which computers should receive the update. Windows Update will mistakenly offer the update to computers that have the Internet Information Services (IIS) Common Files installed, but that do not have the Asp.dll binary to which the update applies.

Workaround
This problem was corrected on July 17, 2006. Users who experience this problem can work around it by removing the IIS Common Files. To do this, follow these steps:
 * 1) Click Start, click Control Panel, and then double-click Add or Remove Programs.
 * 2) Click Add/Remove Windows Components, double-click Internet Information Services, click to clear the Common Files check box, click OK, click Next, and then click Finish.

Symptoms
Users may experience an issue when they install the MS06-034 security update by using Windows Update or Auto Update. The update will appear to install correctly on computers that are running Windows Server 2003 SP1. However, if the update is installed when IIS is being used, the Asp.dll file is not updated. This problem occurs because IIS locks the Asp.dll file. This lock prevents the update from installing correctly.

Resolution
This problem was corrected on July 17, 2006. Users who experience this problem can install the package again from Windows Update. Alternatively, users can manually download the update from the Microsoft Download Center.

Note The update package itself is unchanged from the version that was offered on July 12, 2006.

Additional query words: update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE WinNT Win2000

Keywords: kbwinserv2003sp2fix kbqfe kbsecurity kbsecbulletin kbsecvulnerability kbbug kbfix kbwin2000presp5fix kbpubtypekc KB917537

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.