Security News 













Stop SPAM

What are the most active viruses and worms today.

Test your virus protection with non-destructive test file. Please read the instructions carefully.
Microsoft offers free tool for security checks

The Microsoft Baseline Security Analyzer gives users a simple way to check systems for common problems, such as when computers are set up incorrectly or users fail to install suggested security patches.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp

Microsoft released a "critical" cumulative patch for 10 new vulnerabilities affecting IIS 4.0/5.0/5.1 running on Windows NT 4.0/2000/XP, the most serious of which could enable code of an attacker's choice to be run on a target server.

Five of the flaws could enable an attacker to gain control over a Web server. Two others could enable an attacker to prevent either a Web server or an FTP server from providing service. Three more vulnerabilities could enable an attacker to "bounce" Web content to another user's browser session.

"Unlike past IIS buffer overflow vulnerabilities, (one of these flaws) is within a core component of IIS, .ASP," says Marc Maiffret, chief hacking officer at eEye Digital Security. "Since the buffer overflow is within such a core component of ASP, it is probable that the number of affected servers is potentially higher than any of the past IIS vulnerabilities."

The patch includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0/5.1. Microsoft recommends that sysadmins take note of the caveats discussed in the bulletin before applying the patch.

Though applying the patch is important, security experts have warned of possible problems with it.

"We have received unconfirmed reports that the patch may break functionality in some environments," said a posting from Dave Ahmad, Bugtraq moderator and the threat analysis manager at SecurityFocus.

Comprehensive details on each of the vulnerabilities are available from the Microsoft security bulletin.

http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Patch availability:

IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931

IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824

IIS 5.1: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857

|HOME|ALERTS|NEWS|PRODUCTS|SUPPORT|FAQs|GUARDIAN|
|LIBRARY| CONTACT US|SEARCH|
© 2001 FirstNetSecurity.com