From...

Microsoft patches more security holes in IIS

By Sam Costello

(IDG) -- Microsoft Corp. is urging users of its Internet Information Services (IIS) software to install another patch, this time to plug three newly discovered security holes and to correct errors made in a trio of earlier patches that were developed for the widely used Web server package.

The software vendor said in a security bulletin issued late Monday that systems administrators should apply the new patch "to all machines running IIS 4.0 or 5.0 immediately." Separate versions of the patch can be downloaded for IIS 4.0 on systems running Windows NT 4.0 and for IIS 5.0 on Windows 2000-based servers.

In addition to addressing the latest vulnerabilities, the new code includes the functionality built into all 16 of the patches Microsoft had previously released for IIS 5.0 -- freeing users of the need to install them separately, said the company. The new code also covers the 22 previous IIS 4.0 patches that have been issued since NT 4.0 Service Pack 5 became available, it added.

MESSAGE BOARD Security on the Net   IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

The new warning came just two weeks after Microsoft disclosed that an "extremely serious" flaw in an extension of Windows 2000 could allow attackers to gain complete control of computers running IIS 5.0, which is built into that operating system. Last Tuesday, Microsoft issued another patch for Windows 2000 to plug a hole that could lead to denial-of-service attacks against servers.

The first flaw targeted by the patch released yesterday could be exploited to give an attacker the ability to execute operating system commands or programs on an IIS-equipped server, Microsoft said. Left unplugged, the hole would make it possible for the attacker to get system capabilities similar to those of a non-administrative user, the company added.

The patch is also supposed to fix a glitch that could be used to launch denial-of-service attacks against the File Transfer Protocol (FTP) service on a system, thus causing IIS to fail. In addition, Microsoft said, another flaw could enable an attacker to gain access to "guest" user accounts that had been "inadvertently exposed" via FTP.

Furthermore, the latest fix also is designed to address new flaws introduced by two IIS patches that were issued in March and another that became available last August. The August patch had created conditions that would allow an attacker to slow down the performance of systems, Microsoft said, while the two from March set up the potential for denial-of-service attacks.