Microsoft Product Support Services   All Products  |   Support  |   Search  |   microsoft.com Home  
microsoft.com
  Support Home  |   Find a Solution  |   Request Support  |   Custom Support  |

Patch Available for New Variant of File Fragment Reading via .HTR Vulnerability


The information in this article applies to:
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services version 5.0


SYMPTOMS

Microsoft has released a patch that eliminates a security vulnerability in Internet Information Server (IIS) 4.0 and Internet Information Services (IIS) 5.0. Under very unusual conditions, this vulnerability can allow an attacker to read fragments of files from a Web server.

This vulnerability involves a new variant of the "File Fragment Reading via .HTR" vulnerability, which is described in Microsoft Security Bulletin (MS00-044). Like the other variants, this one may allow an attacker to request a file in a way that causes it to be processed by the .htr ISAPI extension. The result of this is that fragments of server-side files such as .asp files may potentially be sent to the attacker. There is no capability through this vulnerability to add, change, or delete files on the server, or to access a file without permissions.

There are a number of significant restrictions on this vulnerability:

  • During normal .htr processing, the effect is to strip out the very data that would be the most likely to contain sensitive information.


  • There must be zeros fortuitously located in the server memory in order for the file fragments to be sent.


  • If best practices have been followed regarding the need to avoid ever storing sensitive information in .asp and other server-side files, there should be no sensitive information in the files to begin with.


Customers who have previously disabled the .htr functionality are not affected by this vulnerability. Microsoft recommends that all customers disable .htr functionality, unless there is a business-critical reason for keeping it. For the latter group of customers, a patch is available that eliminates this vulnerability.


RESOLUTION

Internet Information Services 5.0

A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems that are determined to be at risk of attack. Please evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. Please see the associated Microsoft Security Bulletin to help make this determination. This fix may receive additional testing at a later time, to further ensure product quality. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix as instructed below or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp
NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following files are available for download from the Microsoft Download Center:
[GRAPHIC: Download]Download Q285985_w2k_sp3_x86_en.exe now

For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:
   Date        Time    Version    Size    File name  Platform
   ----------------------------------------------------------
   01/22/2001  04:09p  4.2.756.1  54,560  Ism.dll    x86 
NOTE: Due to file dependencies, this hotfix requires Microsoft Windows NT 4.0 Service Pack 5 or Service Pack 6a.


STATUS

Microsoft has confirmed that this problem could result in some degree of security vulnerability in IIS 4.0 and 5.0.


MORE INFORMATION

For more information on this security vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms01-004.asp
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words:

Keywords : kbWinNT400PreSP7Fix kbWin2000PreSP3Fix kbgraphxlinkcritical
Issue type : kbbug
Technology : kbiisSearch kbiis500 kbiis400


Last Reviewed: June 1, 2001
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.


Article ID: Q285985

Last Reviewed:
June 1, 2001

Send to a friend

Provided by
Microsoft Product Support Services


Did the information in this article help answer your question?

Yes
No
Did not apply

Please provide additional comments about this information.
(255 character max)