[thelist] FW: Microsoft Security Bulletin (MS99-061)

Scott Dexter sgd at ti3.com
Wed, 22 Dec 1999 10:39:28 -0600
Previous message: [thelist] CF / SQL problem
Next message: [thelist] FW: Microsoft Security Bulletin (MS99-058)
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]
two biggies, this is number 1

sgd
--
think safely

> -----Original Message-----
> From: Microsoft Product Security [mailto:secnotif@MICROSOFT.COM]
> Sent: Tuesday, December 21, 1999 5:41 PM
> To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin (MS99-061)
> 
> 
> The following is a Security  Bulletin from the Microsoft 
> Product Security
> Notification Service.
> 
> Please do not  reply to this message,  as it was sent  from 
> an unattended
> mailbox.
>                     ********************************
> 
> Microsoft Security Bulletin (MS99-061)
> --------------------------------------
> 
> Patch Available for "Escape Character Parsing" Vulnerability
> Originally Posted: December 21, 1999
> 
> Summary
> =======
> Microsoft has released a patch that eliminates a vulnerability in
> Microsoft(r) Internet Information Server and products that 
> run atop it. The
> vulnerability could allow files on a web server to be 
> specified using an
> alternate representation, in order to bypass access controls of some
> third-party applications.
> 
> Frequently asked questions regarding this vulnerability can 
> be found at
> http://www.microsoft.com/security/bulletins/MS99-061faq.asp.
> 
> Issue
> =====
> RFC 1738 specifies that web servers must allow hexadecimal 
> digits to be
> input in URLs by preceding them with the so-called "escape" 
> character, a
> percent sign. IIS complies with this specification, but also accepts
> characters after the percent sign that are not hexadecimal 
> digits. Some of
> these translate to printable ASCII characters, and this could 
> provide an
> alternate means of specifying files in URLs.
> 
> The vulnerability does not affect IIS; even specifying a file 
> name via this
> alternate method does not bypass IIS' access controls. 
> However, third-party
> software that runs atop IIS but does not perform canonicalization is
> affected by it.
> 
> Affected Software Versions
> ==========================
>  - Microsoft Internet Information Server 4.0
>  - Microsoft Site Server 3.0
>  - Microsoft Site Server Commerce Edition 3.0
> 
> Patch Availability
> ==================
>  - Intel:
>    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16357
>  - Alpha:
>    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16358
> 
> NOTE: Additional security patches are available at the 
> Microsoft Download
> Center
> 
> More Information
> ================
> Please see the following references for more information 
> related to this
> issue.
>  - Frequently Asked Questions: Microsoft Security Bulletin MS99-061,
>    http://www.microsoft.com/security/bulletins/MS99-061faq.asp.
>  - Microsoft Knowledge Base (KB) article Q246401,
>    IIS may improperly parses specific escape characters,
>    http://support.microsoft.com/support/kb/articles/q246/4/01.asp.
>    (Note: It may take 24 hours from the original posting of 
> this bulletin
>    for this KB article to be visible.)
>  - RFC 1738,
>    Uniform Resource Locators,
>    http://www.ietf.org/rfc/rfc1738.txt.
>  - Microsoft Security Advisor web site,
>    http://www.microsoft.com/security/default.asp.
> 
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
> 
> Acknowledgments
> ===============
> Microsoft acknowledges the ACROS Security Team, Slovenia, for 
> bringing this
> issue to our attention.
> 
> Revisions
> =========
>  - December 21, 1999: Bulletin Created.
> 
> -----------------------------------------------------------------
> 
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
> PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
> WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
> MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT 
> CORPORATION OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING 
> DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
> SPECIAL DAMAGES, EVEN
> IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING LIMITATION MAY NOT APPLY.
> 
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use
> 
>    *******************************************************************
> You have received  this e-mail bulletin as a result  of your 
> registration
> to  the   Microsoft  Product  Security  Notification   
> Service.  You  may
> unsubscribe from this e-mail notification  service at any 
> time by sending
> an  e-mail  to  
> MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing 
> the request,
> and can be anything you like.
> 
> For  more  information on  the  Microsoft  Security 
> Notification  Service
> please visit 
http://www.microsoft.com/security/services/bulletin.asp. For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Previous message: [thelist] CF / SQL problem
Next message: [thelist] FW: Microsoft Security Bulletin (MS99-058)
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]