IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


Advisory 02-002

Multiple Remote Vulnerabilities in Microsoft's Internet Information Services (IIS)
April 11, 2002


The NIPC is issuing this advisory to highlight the significance of the above vulnerability addressed in Microsoft Security Bulletin MS02-018 dated 10 April 2002, which can be found here:

http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Microsoft published this Security Bulletin that includes multiple buffer overflow conditions, which could allow an attacker remote access to the server with various privilege levels, depending on the version of IIS. Multiple denial of service conditions can make the server unusable until the server is restarted. Three cross-site scripting vulnerabilities can allow malicious codes to be run on unsuspected "clients" of the server.

While there have been no reported victims, the NIPC is issuing this advisory to emphasize the significance of these vulnerabilities and to make system administrators aware that attackers could exploit these vulnerabilities to gain remote access. This could provide the attacker with the ability to take any action desired, such as installing malicious code, running programs, reconfiguring, adding, changing, or deleting files. Based on the nature of the potential harm (remote system account compromise) and the NIPC's assessment that there is a strong likelihood that this vulnerability may be exploited against the large number of Windows servers running IIS, the NIPC considers this to be a high level threat and is issuing this advisory in advance of any reported victims. The NIPC re-enforces Microsoft's recommendation that all IIS server system administrators consider applying the patches.

Recommendation:

The Microsoft bulletin describing this vulnerability and the patches to fix the problems may be found here:

http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Microsoft strongly recommends that all IIS server administrators mitigate this vulnerability immediately by applying the patches.

Background:

As reported by Microsoft, these vulnerabilities affect all installations of IIS, versions 4.0, 5.0 and 5.1 running on Microsoft Windows NT 4.0, Windows 2000, or Windows XP (Windows web server IIS software.) Having this service installed on a Windows machine does not make it vulnerable to these exploits, the machine has to actually have the IIS software running to be affected.

The NIPC considers this to be a significant threat due to the magnitude and type of potential victim systems, coupled with the potential for remote compromise and the level of compromise.

Recipients of this advisory are encouraged to report computer crime to federal, state, or local law enforcement and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov