Home > Microsoft Security > Microsoft Security Bulletin Ms02 018

Microsoft Security Bulletin Ms02 018

The vulnerability results because IE performs its security checks when the page initially loads; by using this directive, script on a web could fire after the security checks have been completed, Frequently asked questions What's the scope of the vulnerability? As a result, exploiting the vulnerability on a default IIS 4.0 installation would give the attacker complete control over the server. It could not be used to create, change, delete, or execute them. weblink

Only IIS 5.0 is affected by it. If the attacker can't force the user to accept the download, and can't force the program to run, why is this a security vulnerability? In the web-borne scenario, this doesn't actually qualify All of these
vulnerabilities have the same scope and effect: an attacker who
was able to lure a user into clicking a link on his web site

As a result, it is possible to cause a header to be generated that is so large that it exhausts the memory available to IIS, causing it to fail. If a system had an extremely high bandwidth connection to the server and generated a huge number of connection requests, the relatively infrequent purges could allow it to dominate the backlog As discussed above, this would enable the attacker to run script in the user's browser using the security settings of the other web site (the one running IIS), and to access In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1: A privilege elevation vulnerability affecting

If the vulnerability were exploited to cause the IIS service to fail, what would be needed to restore normal operation? On IIS 4.0, the administrator would need to restart the IIS service. The attacker would also need to have an understanding of the directory structure on the web server. The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3. Impact of vulnerability: Four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges.

Arai Yuu of LAC ( for reporting the cross-site scripting vulnerability in IIS administrative pages. In addition, this could be used to mis-represent the URL in the address bar in a window opened from their site. The IIS Lockdown tool by default disables the ssinc.dll mapping, which will block this attack. These two vulnerabilities stem from different issues, but have exactly the same effect.

By overrunning the buffer with carefully selected data, the attack could overwrite program code on the server with new program code, in essence modifying the functionality of the server software. If the vulnerability were exploited to cause the IIS server to fail, what would be needed to restore normal operation? On IIS 4.0, the administrator would need to restart the IIS service. This is because, as far as the browser can tell, the attacker is the third-party site.

How great a risk does the web-borne scenario pose? The principal advantage of the web-borne scenario to the attacker is that, by default, all Internet web sites reside in the Internet Zone, What is script source access? Script source access is a second layer of defense intended to prevent unauthorized users from loading and running programs on the server. If an attacker were able to establish
an FTP session with an affected server,and levied a status
request that created a particular error condition, a flaw in the

Active Server Pages (ASP) is a technology that allows web servers to dynamically generate web applications. A complete listing of the patches superseded by this
patch is provided below, in the section titled "Additional
information about this patch". Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. However, we still recommend that you install the patch, to ensure that you're protected against the web-based scenario.

This flaw could make it possible for an attacker to misrepresent the name of the file in the dialogue, in an attempt to trick a user into opening or saving an Why does this vulnerability pose a threat to IIS 4.0 systems, if IIS 4.0 runs applications in-process by default? The vulnerability poses no increased risk to IIS 4.0 systems that have been Am I vulnerable to this issue? The patch changes IIS to purge the list more frequently in order to make it more resilient to flooding attacks.

The URLScan tool can be configured to prevent chunked encoding requests. As discussed above, an ISAPI filter is a .dll installed to extend the functionality available through a web server. Reboot needed: Yes Superseded patches: This patch supersedes the one provided in Microsoft Security Bulletin MS01-058, which is itself a cumulative patch.

However, it would not disrupt any other system functions.

The vulnerability is subject to several mitigating factors: The email-borne attack scenario would be blocked if the user were using any of the following: Outlook 98 or 2000 with the Outlook This is an information disclosure issue. Version 1.0
of the IIS Lockdown Tool removes ASP by default, and the current
version (version 2.1) removes it by default if Static Web Server
has By exploiting this vulnerability, an attacker could temporarily prevent a web server from providing web services.The vulnerability would not allow any data on the system to be compromised, nor would it

In particular, it provides information that lets IE determine what application should be used to open the file. What causes the vulnerability? The vulnerability only provides a way for a web page to initiate a script - it doesn't provide a way to bypass any other security constraints. An attacker could seek to exploit this vulnerability by uploading a specially named SHTML web page to the IIS Server - the attacker would need explicit permissions to do this.

Mitigating factors: All of the vulnerabilities share a pair of common mitigating factors: The web-based attack vector would be blocked if the user had disabled Java applets in the Internet Explorer The script would then render using the security settings of the third-party site rather than the attacker's. WebDAV is an extension to the HTTP specification. Dentre essas, a mais crtica pode permitir ao atacante executar cdigo arbitrrio no servidor.

Why isn't this patch cumulative? Microsoft's normal policy is to provide security fixes for IIS via cumulative patches. If you are running Windows NT 4.0, Windows 2000, or Windows XP, type "cmd" (without the quotes), then hit the enter key. The specific effect of doing this would depend on the particular COM object that the attacker's applet used. See References.

On IIS 5.0 and 5.1 servers, the service would automatically restart itself. Clearly, this is not the way people normally visit trusted web sites.