Security 10748 Published by

On November 06, 2000, Microsoft released the original version of this bulletin, announcing the availability of a patch that eliminates a security vulnerability in Microsoft® Internet Information Services 5.0. The vulnerability could enable a malicious user to run operating system commands on a web server. Since its original issuance, the bulletin has been updated several times:

On November 10, 2000, the bulletin was updated to clarify the scope of the issue.
On November 21, 2000, it was updated to discuss two newly-discovered variants of the original vulnerability.
On November 30, 2000, it was updated to discuss a newly-discovered regression error in the IIS 5.0 patch and recommend that customers apply an updated version of the patch.

The newly-discovered regression error only affects the IIS 5.0 version of the patch. It has no effect on the effectiveness of the patch against the vulnerability discussed here, but it does cause servers to be vulnerable to the Web Server Directory Traversal discussed in Microsoft Security Bulletin MS00-078, even if the patch provided in MS00-078 has been applied. Microsoft therefore recommends that all IIS 5.0 customers apply the new patch provided below. It protects against both the Web Server File Request Parsing and Web Server Directory Traversal vulnerabilities. The IIS 4.0 version of the patch does not contain the error, and customers who have applied the IIS 4.0 patch do not need to take any action.

Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-086.asp

Affected Software Versions
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0

Patch Availability
Internet Information Server 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
Internet Information Services 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547

Note: The IIS 5.0 patch can be applied atop systems running either Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 2.

Note: The IIS 4.0 patch can be applied atop systems running Windows NT 4.0 Service Pack 6a. It will be included in Windows NT 4.0 Service Pack 7.