[Am-info] Microsoft Patches Web Server Security Flaws
Fred A. Miller
fm@cupserv.org
Thu, 11 Apr 2002 11:55:20 -0400
Microsoft Patches Web Server Security Flaws
Microsoft said Wednesday it has fixed 10 new vulnerabilities in
its Internet Information Services software, the worst of which
could enable an attacker's code to be run on a server. The
vulnerabilities have been found in IIS 4, 5, and 5.1. Build
versions 3605 and higher of .Net Server are already fixed.
Six of the 10 vulnerabilities are buffer overrun vulnerabilities,
one of the most common application development flaws, experts
say. In a buffer overrun, the amount of data sent to a buffer
exceeds its capacity. Two of the vulnerabilities let attackers
crash IIS, creating a denial-of-service attack. Yet another
vulnerability, called cross-site scripting, allows hackers to use
a Web link to get users to run a script on another server running
IIS and bypass security settings of the original server.
Microsoft has deemed many of the vulnerabilities critical. More
information can be found in Microsoft Security Bulletin MS02-018
at
http://update.informationweek.com/cgi-bin4/flo?y=eGkt0Bce7K0V20Ba5Q0AA .
Patches are available. - George V. Hulme
More Microsoft background can be found at
Microsoft Launches Security Initiative
http://update.informationweek.com/cgi-bin4/flo?y=eGkt0Bce7K0V20Svw0AX
--
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
--- SuSE Linux v7.3 Pro---