Article ID: 327696
Article Last Modified on 3/29/2007
APPLIES TO
- Microsoft Internet Information Services 5.1
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Server 4.0
This article was previously published under Q327696
SYMPTOMS
Microsoft has released a cumulative patch for Internet Information Server (IIS) 4.0, Internet Information Services (IIS) 5.0, and IIS 5.1 that includes updates for the issues that are described in the following Microsoft Knowledge Base articles:
321599 MS02-028: Heap overrun in HTR chunked encoding might enable Web server compromise
319733 MS02-018: April 2002 cumulative patch for Internet Information Services
This patch includes not only previously released security patches, but also fixes for the following newly discovered security vulnerabilities that affect IIS 4.0, 5.0, and 5.1:
- A privilege elevation vulnerability that affects the way ISAPIs are started when an IIS 4.0, 5.0, or 5.1 server is configured to run them out of process. By design, the hosting process (Dllhost.exe) runs only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise.
- A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request is malformed in a particular way, IIS allocates an extremely large amount of memory on the server. By sending several such requests, an attacker can cause the server to fail.
- A vulnerability that involves the operation of the script source access permission in IIS 5.0. This permission operates in addition to the typical read/write permissions for a virtual directory, and regulates whether scripts, .ASP files, and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types that are subject to this permission omits .COM files from the list of files subject to the permission. As a result, a user needs only write access to upload such a file.
- A pair of Cross-Site Scripting (CSS) vulnerabilities that affect IIS 4.0, 5.0, and 5.1, and involve the administrative Web page. Each of these vulnerabilities has the same scope and effect: when a user clicks a link on an attacker's Web site, the attacker can relay a request that contains script to a third-party Web site that is running IIS, thereby causing the third-party site's response (which still includes the script) to be sent to the user. The script then renders using the security settings of the third-party site instead of the attacker's site.
Additionally, the patch causes IIS 5.0 and 5.1 to change how frequently the socket backlog list - which, when all connections on a server are allocated, holds the list of pending connection requests - is cleared. The patch changes IIS to clear the list more frequently to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0.
Note These patches do not include fixes for vulnerabilities involving non-IIS products, such as the Microsoft FrontPage Server Extensions and Microsoft Index Server, although these products are closely associated with IIS and are typically installed on IIS servers. There is, however, one exception. The fix for the vulnerability that affects Index Server, which is discussed in Microsoft Security Bulletin MS01-033, is included in this patch because of the seriousness of the issue for IIS servers. At the time that this article was written, the Microsoft Security Bulletins that discuss these vulnerabilities are as follows:
Microsoft Security Bulletin MS01-043
Microsoft Security Bulletin MS01-025
Microsoft Security Bulletin MS00-084
Microsoft Security Bulletin MS00-018
Microsoft Security Bulletin MS00-006
All the previously listed fixes and cumulative patches are included in Windows 2000 Service Pack 3. For additional information about the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Note The fixes for the following vulnerabilities that affect IIS 4.0 are not included in the patch because they require administrative action instead of a software change. Administrators must make sure that they not only apply this patch, but also take the administrative action that is described in the following bulletins:
RESOLUTION
Windows XP service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
Windows 2000 service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Hotfix information
Internet Information Services 5.1
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Download information
The following files are available for download from the Microsoft Download Center:
Windows XP Professional
English (US): Download the Q327696 package now
Arabic: Download the Q327696 package now
Chinese (Simplified): Download the Q327696 package now
Chinese (Traditional): Download the Q327696 package now
Czech: Download the Q327696 package now
Danish: Download the Q327696 package now
Dutch: Download the Q327696 package now
Finnish: Download the Q327696 package now
French: Download the Q327696 package now
German: Download the Q327696 package now
Greek: Download the Q327696 package now
Hebrew: Download the Q327696 package now
Hungarian: Download the Q327696 package now
Italian: Download the Q327696 package now
Japanese: Download the Q327696 package now
Korean: Download the Q327696 package now
Norwegian: Download the Q327696 package now
Polish: Download the Q327696 package now
Portuguese: Download the Q327696 package now
Portuguese (Brazil): Download the Q327696 package now
Russian: Download the Q327696 package now
Spanish: Download the Q327696 package now
Swedish: Download the Q327696 package now
Turkish: Download the Q327696 package now
Windows XP 64-Bit Edition
English (US): Download the Q327696 package now
French: Download the Q327696 package now
German: Download the Q327696 package now
Japanese: Download the Q327696 package now
Release Date: October 30, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation information
If a dialog box appears that states you must restart your computer after you apply this update, you can safely ignore it. This update supports the following Setup switches:
- /? Display the list of installation switches.
- /u Unattended mode.
- /f Force other programs to quit when the computer shuts down.
- /n Do not back up files for removal.
- /o Overwrite OEM files without prompting.
- /z Do not restart when installation is complete.
- /q Quiet mode (no user interaction).
- /l List installed hotfixes.
- /x Extracts the files without running Setup.
For example, the following command line installs the update without any user intervention and then does not force the computer to restart:
q329834_wxp_sp2_x86_enu /q /m /z
File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows XP Professional
The following files are installed in the %WINDIR%\System32\inetsrv folder:
Date Time Version Size File name -------------------------------------------------------- 25-Sep-2002 14:46 5.1.2600.1125 339,456 Asp51.dll 25-Sep-2002 14:46 5.1.2600.1125 117,248 Ftpsv251.dll 25-Sep-2002 14:46 6.0.2600.1125 240,640 Httpext.dll 25-Sep-2002 14:46 5.1.2600.1125 54,272 Httpod51.dll 25-Sep-2002 14:46 6.0.2600.1125 240,640 Infocomm.dll 25-Sep-2002 14:46 6.0.2600.1125 65,024 Isatq.dll 25-Sep-2002 14:46 5.1.2600.1125 40,448 Ssinc51.dll 25-Sep-2002 14:46 5.1.2600.1125 339,456 W3svc.dll
The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder:
Date Time Size File name --------------------------------------- 08-Aug-2002 14:31 2,411 Default.asp 08-Aug-2002 14:31 19,224 Query.asp 08-Aug-2002 14:31 6,527 Search.asp
Windows XP 64-Bit Edition
The following files are installed in the %WINDIR%\System32\inetsrv folder:
Date Time Version Size File name ---------------------------------------------------------- 25-Sep-2002 14:47 5.1.2600.1125 1,052,672 Asp51.dll 25-Sep-2002 14:47 5.1.2600.1125 289,792 Ftpsv251.dll 25-Sep-2002 14:47 6.0.2600.1125 934,400 Httpext.dll 25-Sep-2002 14:47 5.1.2600.1125 142,848 Httpod51.dll 25-Sep-2002 14:47 6.0.2600.1125 667,648 Infocomm.dll 25-Sep-2002 14:47 6.0.2600.1125 186,368 Isatq.dll 25-Sep-2002 14:47 5.1.2600.1125 96,768 Ssinc51.dll 25-Sep-2002 14:47 5.1.2600.1125 916,480 W3svc.dll
The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder:
Date Time Size File name --------------------------------------- 08-Aug-2002 14:32 2,411 Default.asp 08-Aug-2002 14:32 19,224 Query.asp 08-Aug-2002 14:32 6,527 Search.asp
Internet Information Services 5.0
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, we recommend that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Download information
The following files are available for download from the Microsoft Download Center:
English Language Version
Arabic Language Version
Chinese (Simplified) Language Version
Chinese (Traditional) Language Version
Czech Language Version
Danish Language Version
Dutch Language Version
Finnish Language Version
French Language Version
German Language Version
Greek Language Version
Hebrew Language Version
Hungarian Language Version
Italian Language Version
Japanese Language Version
Japanese NEC Language Version
Korean Language Version
Norwegian Language Version
Polish Language Version
Portuguese (Brazilian) Language Version
Portuguese Language Version
Russian Language Version
Spanish Language Version
Swedish Language Version
Turkish Language Version
Release Date: October 30, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation information
Because of file dependencies, this update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Customers who use Site Server must be aware that a previously documented issue that involves intermittent authentication errors affects this and a small number of other patches. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
317815 Site Server logon problems occur after you apply certain Windows 2000 hotfixes
You do not have to restart your computer after you apply this update. This update supports the following Setup switches:
- /? Display the list of installation switches.
- /u Unattended mode.
- /f Force other programs to quit when the computer shuts down.
- /n Do not back up files for removal.
- /o Overwrite OEM files without prompting.
- /z Do not restart when installation is complete.
- /q Quiet mode (no user interaction).
- /l List installed hotfixes.
- /x Extracts the files without running Setup.
For example, the following command line installs the update without any user intervention and then does not force the computer to restart:
q327696_w2k_sp4_x86_en /q /m /z
File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are installed in the %Windir%\System32\ folder:
Date Time Version Size File name -------------------------------------------------------- 17-Sep-2002 15:40 5.0.2195.6048 245,520 Adsiis.dll 17-Sep-2002 15:40 5.0.2195.5255 8,464 Ftpctrs2.dll 17-Sep-2002 15:40 5.0.2195.5617 122,128 Idq.dll 17-Sep-2002 15:40 5.0.2195.5991 13,584 Infoadmn.dll 17-Sep-2002 15:40 5.0.2195.5255 122,640 Iisrtl.dll 17-Sep-2002 15:40 5.0.2195.5807 76,560 Msw3prt.dll 17-Sep-2002 15:40 5.0.2195.5255 7,440 W3ctrs.dll
The following file is installed in the Program files\Microsoft Shared\Web Server Extensions\40\bin folder:
Date Time Version Size File name ------------------------------------------------------- 16-Aug-2002 14:47 4.0.2.4701 593,976 Fp4autl.dll
The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder:
Date Time Size File name --------------------------------------- 22-Mar-2002 18:15 2,413 Default.asp 22-Mar-2002 18:15 19,178 Query.asp 22-Mar-2002 18:15 5,571 Search.asp
The following files are installed in the %Windir%\System32\inetsrv folder:
Date Time Version Size File name -------------------------------------------------------- 17-Sep-2002 15:40 5.0.2195.6048 333,584 Asp.dll 17-Sep-2002 15:40 5.0.2195.3649 299,792 Fscfg.dll 17-Sep-2002 15:40 5.0.2195.5255 6,416 Ftpmib.dll 17-Sep-2002 15:40 5.0.2195.5675 117,008 Ftpsvc2.dll 17-Sep-2002 15:40 5.0.2195.6035 246,032 Httpext.dll 17-Sep-2002 15:40 5.0.2195.5255 9,488 Httpmib.dll 17-Sep-2002 15:40 5.0.2195.5663 56,592 Httpodbc.dll 17-Sep-2002 15:40 5.0.2195.5991 78,608 Iislog.dll 17-Sep-2002 15:40 5.0.2195.5991 246,544 Infocomm.dll 17-Sep-2002 15:40 5.0.2195.6036 62,736 Isatq.dll 17-Sep-2002 15:40 5.0.2195.5671 46,352 Ism.dll 17-Sep-2002 15:40 5.0.2195.5255 26,896 Mdsync.dll 17-Sep-2002 15:40 5.0.2195.5255 41,232 Ssinc.dll 17-Sep-2002 15:40 5.0.2195.5995 349,456 W3svc.dll 17-Sep-2002 15:40 5.0.2195.5995 72,976 Wam.dll
Internet Information Server 4.0
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, we recommend that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. Before you apply this update, back up your metabase. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
300675 How to create a metabase backup by using Internet Information Server 4.0 in Windows NT
Download information
The following file is available for download from the Microsoft Download Center:
Release Date: October 30, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation information
This update requires Windows NT 4.0 Service Pack 6a. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to obtain the latest Windows NT 4.0 service pack
To install this patch without restarting your computer, follow these steps:
- Stop all IIS services.
- Install the patch with the hotfix with the /z switch.
- Restart the IIS services.
This update supports the following Setup switches:
- /x Extract the files for later installation
- /y Perform uninstall (only with /m or /q)
- /f Force apps closed at shutdown
- /n Do not create uninstall directory
- /z Do not restart when update completes
- /q Quiet Mode -- no user interface
- /m Unattended mode
- /l List installed hotfixes
File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are installed in the %WINDIR%\System32\inetsrv\ folder (unless otherwise noted):
Date Time Version Size File name -------------------------------------------------------------------- 28-Aug-2002 20:09 4.2.780.1 214,544 %WINDIR%\System32\Adsiis.dll 28-Aug-2002 20:10 4.2.780.1 331,200 Asp.dll 28-Aug-2002 20:09 4.2.780.1 81,888 Ftpsvc2.dll 28-Aug-2002 20:09 4.2.780.1 55,392 Httpodbc.dll 13-Jul-2001 21:14 5.0.1782.4 193,296 %WINDIR%\System32\Idq.dll 28-Aug-2002 20:08 4.2.780.1 63,984 Iislog.dll 28-Aug-2002 20:08 4.2.780.1 185,792 Infocomm.dll 28-Aug-2002 20:08 4.2.780.1 29,520 Iscomlog.dll 28-Aug-2002 20:12 4.2.780.1 54,560 Ism.dll 28-Aug-2002 20:10 4.2.780.1 31,872 Mdsync.dll 28-Aug-2002 20:09 4.2.780.1 38,256 Ssinc.dll 28-Aug-2002 20:09 4.2.780.1 25,360 Sspifilt.dll 28-Aug-2002 20:09 4.2.780.1 231,104 W3svc.dll 28-Aug-2002 20:08 4.2.780.1 88,032 Wam.dll
Note Because of file dependencies, this update may contain additional files.
Windows NT Server 4.0, Terminal Server Edition Internet Information Server 4.0 is part of the Windows NT 4.0 Option Pack. The Option Pack is not supported on Windows NT Server 4.0, Terminal Server Edition. Patches for IIS 4.0 have been provided as part of the Windows NT Server 4.0, Terminal Server Edition Security Rollup Package (SRP) only for customers who have installed the Option Pack to protect their computers during the migration to a supported operating system. For additional information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:
317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package
STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows XP Service Pack 2. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:
Additional query words: security_patch
Keywords: kbwinxpsp2fix kbwin2ksp4fix kbbug kbfix kbqfe kbsecbulletin kbsecurity kbsecvulnerability kbwin2000presp4fix kbwinxppresp2fix KB327696