Microsoft has released a cumulative IIS patch that affects Windows NT 4.0, Windows 2000, and Windows XP. Security bulletin MS03-018, “Cumulative Patch for Internet Information Service,” includes patches for four recently disclosed vulnerabilities: one buffer overrun, two denial of service vectors, and one cross-site scripting threat.

The cumulative patch includes all security patches released for IIS 4.0 since NT 4.0 SP6a and all security-related patches for IIS 5.0 since Windows 2000 SP2, as well as IIS 5.1. Meanwhile, IIS 6.0 (included in Windows Server 2003) is not affected and doesn’t require the patch.

The buffer overrun affects IIS 5.0. The ASP Headers memory allocation request flaw affects IIS 4.0 and 5.0. The WebDAV DoS vulnerability affects IIS 5.0 and 5.1. The cross-site scripting vulnerability affects IIS 4.0, 5.0, and 5.1.

Risk level—various
Cumulative patches generally cover a variety of software sins, so some are naturally rated higher than others. In this case, the highest-rated of the threats has been classified as Important by Microsoft.

Mitigating factors
A number of factors may mitigate these threats, not the least of which is that some of the vulnerabilities from the cumulative patch may already have been patched or have had workarounds applied.

As for the new vulnerabilities:

  • Server-side include Web pages buffer overrun—In this case, ssinc.dll mapping is the source of the problem and this is disabled by the IIS lockdown tool. Only IIS 5.0 is vulnerable to this attack. By default, this is normally configured to run as a user account, so the attacker may not gain much if successful in penetrating the system.
  • ASP Headers DoS—This attack requires access to the IIS server so that the attacker can upload files. IIS 5.0 will just automatically restart if attacked. IIS 4.0 is most vulnerable.
  • WebDAV DoS—The IIS lockdown tool disables WebDAV. IIS 5.0 and 5.1 will simply restart if affected by this flaw.
  • Cross-site scripting redirection vulnerability—Since this is an HTML-based attack, a user must open a malicious HTML e-mail or go to a special site and click on a link.

Apply this patch, but be certain you read the entire bulletin. If you don’t also install the patch from MS02-050, you’ll have problems.

Final word
These flaws are certainly real but not alarmingly dangerous or urgent threats. I’m putting this one on my watch list and will recommend that clients install the patch after I’ve had a chance to see what problems crop up from the beta testers who rush in to apply it.

I’m definitely not saying these flaws should be ignored—just that we probably needn’t scramble to patch them. If you ignore the problems completely, they will probably come back to bite you someday, even though they aren’t the sort of vulnerabilities an inexperienced hacker would use.

Of course, I take a different stand on Critical-rated threats. Those are known to the public, even script kiddies, and are often pretty dangerous. Sometimes, published exploit code is even floating around on hacker sites. I look very hard at Critical threat patches and install them as soon as possible, or at the very least, apply any workarounds available.

In light of the recent withdrawal of the Windows XP security update (not actually a patch, just an enhancement), administrators are going to be rightly leery of rushing to install Microsoft patches. With MS03-018, you can take a step back and determine whether to install it.