This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section.
In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1:
A buffer overrun vulnerability involving the operation of the chunked encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. An attacker who exploited this vulnerability could overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server.
A Microsoft-discovered vulnerability that is related to the preceding one, but which lies elsewhere within the ASP data transfer mechanism. It could be exploited in a similar manner as the preceding vulnerability, and would have the same scope. However, it affects IIS 4.0, 5.0, and 5.1.
A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP header information in certain cases. IIS performs a safety check prior to parsing the fields in HTTP headers, to ensure that expected delimiter fields are present and in reasonable places. However, it is possible to spoof the check, and convince IIS that the delimiters are present even when they are not. This flaw could enable an attacker to create an URL whose HTTP header field values would overrun a buffer used to process them.
A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0 and 5.1 that results from an error in safety check that is performed during server-side includes. In some cases, a user request for a web page is properly processed by including the file into an ASP script and processing it. Prior to processing the include request, IIS performs an operation on the user-specified file name, designed to ensure that the file name is valid and sized appropriately to fit in a static buffer. However, in some cases it could be possible to provide a bogus, extremely long file name in a way that would pass the safety check, thereby resulting in a buffer overrun.
A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 and 5.0. By sending a series of specially malformed HTR requests, it could be possible to either cause the IIS service to fail or, under a very difficult operational scenario, to cause code to run on the server.
A denial of service vulnerability involving the way IIS 4.0, 5.0, and 5.1 handle an error condition from ISAPI filters. At least one ISAPI filter (which ships as part of FrontPage Server Extensions and ASP.NET), and possibly others, generate an error when a request is received containing an URL that exceeds the maximum length set by the filter. In processing this error, the filter replaces the URL with a null value. A flaw results because IIS attempts to process the URL in the course of sending the error message back to the requester, resulting in an access violation that causes the IIS service to fail.
A denial of service vulnerability involving the way the FTP service in IIS 4.0, 5.0 and 5.1 handles a request for the status of the current FTP session. If an attacker were able to establish an FTP session with an affected server, and levied a status request that created a particular error condition, a flaw in the FTP code would prevent it from correctly reporting the error. Other code within the FTP service would then attempt to use uninitialized data, with an access violation as the result. This would result in the disruption of not only FTP services, but also of web services.
A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1: one involving the results page thatís returned when searching the IIS Help Files, one involving HTTP error pages; and one involving the error message thatís returned to advise that a requested URL has been redirected. All of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party siteís response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attackerís.