RSSMicrosoft Briefs BetaNews on IIS Bug
By David Worthington | Published May 1, 2001, 11:56 PM
In light of the IIS 5 ISAPI Extension bug, a Microsoft spokesperson contacted BetaNews with a detailed briefing of the company's response. The flaw, which affects only customers running IIS5, is considered to be a serious threat since the software's default configuration leaves users open to attack. Microsoft has utilized many avenues to inform customers of the importance of applying the security patch. The release of the second Service Pack for Windows 2000 has also been delayed in order to incorporate this latest fix.
By sending a unique string of characters to an IIS 5 machine with Internet Printing enabled, a malicious user can gain full access to a Web server. The printing service module is installed by default. Microsoft informed BetaNews, "IIS 5.0 customers are not at risk if they have removed the Internet Printing capability from their servers. The IIS 5.0 security checklist recommends that this be done, and the security template provided in the checklist removes it. Likewise, the IIS 5.0 Lockdown Tool removes the capability unless the user explicitly chooses to retain it."
although the MS site says the patch is for servers only, I installed it on my win2k pro without any problem. not sure if the bug affects win2k pro or not, but hey, I'm running IIS5...
Score: 0
|Yea I saw the same thing. But I'm pretty sure the patch is in Windows Update even on Pro machines. Better install to be safe.
Score: 0
|does anyone know if it effects people running Service Pack 2?
I got it installed and im running IIS 5 and it tells me it cant apply the patch cuz im running SP2.
any help appreciated.
Score: 0
|Because SP2 has not been finalized, Microsoft pushed back the release to add this fix in. So yes, if you are running a beta copy of SP2, you will need to uninstall and download the final version upon release or apply the patch.
- Nate
Score: 0
|Where can I find some proof of concept code for this?
Score: 0
|