If you have a Web server running IIS on Windows NT 4.0 or Windows 2000 (or even Windows XP), you’ve got some new security problems to deal with. In what can only be viewed as a bad week for Microsoft, the company recently disclosed that a full double handful of 10 formerly unpatched vulnerabilities exist in Internet Information Server (IIS)—and several of them have been rated as critical threats.

Some of the vulnerabilities are buffer overruns that can allow attackers to run arbitrary code on the server or to open the servers to host, or be the target of, denial of service attacks. Other flaws are less critical but could still cause damage.

If you’re running almost any version of IIS, you need to update it with the latest patches form Microsoft.

In MS02-018, which describes these 10 vulnerabilities and the associated patches, Microsoft indicates the single exception. “Beta versions of .NET Server after Build 3605 contain fixes for all of the vulnerabilities affecting IIS 6.0. As discussed in the [MS02-018] FAQ, Microsoft is working directly with the small number of customers who are using the .NET Server beta version in production environments to provide immediate remediation for them.”

Risk levels—low to critical
Since at least three of these vulnerabilities affecting IIS 4.0, IIS 5.0, and IIS 5.1 are rated critical by Microsoft, the cumulative patches are very important unless you have installed IIS Lockdown Tool according to best practices and don’t need the services that Lockdown disables.


As usual, Microsoft warns that the company does not test or report on vulnerabilities in any older versions of software that the company no longer supports.

Mitigating factors
eEye Digital Security reports that these vulnerabilities are not mitigated by firewalls or intrusion detection systems.

The FTP denial of service attack is a threat only where FTP services are enabled, which is the default for IIS 4.0, but not IIS 5.0 or IIS 5.1.

The following are not vulnerable to these specific vulnerabilities but need the cumulative patches anyway for the other threats:

  • IIS 5.1 is not vulnerable to CAN-2002-0079 chunked encoding memory or the .htr file request buffer overflow CAN-2002-0071.
  • IIS 4.0 is not vulnerable to one of the cross-site scripting threats.
  • The FTP status request DoS vulnerability will be defeated if FTP is not enabled. The IIS Lockdown Tool disables FTP by default.
  • The cross-site scripting vulnerabilities can be exploited only if the attacker can get the target user to visit a malicious Web site or open an HTML e-mail.

Other vulnerabilities can be used to take over the server and run arbitrary code. However, in the IIS 5.0 and IIS 5.1 versions, the attacker would have only IWAM_computername account privileges, which, by default, are quite limited.

For IIS 5.0 and IIS 5.1 users, the IIS Lockdown Tool, if installed, removes ASP by default and therefore eliminates the chunked encoding threat; the server-side includes filename and size verification buffer overflow, and the HTTP header field parsing buffer overflow.

Microsoft has long recommended disabling .htr, and the .htr file request buffer overflow threat is disabled by all releases of the IIS Lockdown Tool. In any case, if this vulnerability is used to trigger a DoS event, IIS 4.0 can simply be restarted; both IIS 5.0 and IIS 5.1 will restart automatically.

Patches for the three vulnerable servers that Microsoft still supports are available as follows:

One word of warning, according to a report from CNET News: “Engineers with SecurityFocus said that installing the patch broke some functions of IIS’s SiteServer module that enables authentication and Web site customization.” This makes SiteServer authentication unreliable.

Final word
Microsoft credits eEye Digital Security with discovering one of the vulnerabilities, and eEye presents some specific examples of the vulnerability on its Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow page. Microsoft also credits a number of other companies and individuals with discovering and reporting most of the other vulnerabilities. The Redmond giant appears to have discovered only a slight variation of one of the vulnerabilities on its own.

Although I have listed the direct links to the cumulative patches, I strongly recommend that instead of using them, you access them through this TechNet link so that you can see any possible patch updates. This is always a good idea but particularly so in this instance. In the two days following the initial release of MS02-018, two updates were already posted.