---------- Forwarded message ---------- Date: Mon, 29 Jan 2001 22:21:39 -0800 From: Microsoft Product Security <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Microsoft Security Bulletin (MS01-004) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- - - Title: Patch Available to Eliminate New Variant of "File Fragment Reading via .HTR" Vulnerability Date: 29 January 2001 Software: IIS 4.0 and 5.0 Impact: File Reading Bulletin: MS01-004 KB Article: Q285985 (available soon) Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/ms01-004.asp - ---------------------------------------------------------------------- Issue: ====== This vulnerability involves a new variant of the "File Fragment Reading via .HTR" vulnerability, previous variants of which were discussed in Microsoft Security Bulletins MS00-031 and MS00-044. Like the original variants, this one could enable an attacker to request a file in a way that would cause it to be processed by the .HTR ISAPI extension. The result of doing this is that fragments of server-side files like .ASP files could potentially be sent to the attacker. There is no capability via the vulnerability to add, change or delete files on the server, or to access a file without permissions. Mitigating Factors: ==================== - Microsoft has long recommended that customers disable the .HTR functionality unless there is a business-critical reason not to. Customers who have followed this recommendation would be at no risk from this vulnerability. - Best practices strongly recommend against ever including sensitive information in .ASP and other server-side files. If this recommendation has been followed, there would be no sensitive information in the file to compromise. - The .HTR processing would tend to strip out the sections of the file most likely to contain sensitive information. - There would need to be zeros located fortuitously in memory to serve as null terminators for the data. - ---------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOnZdc40ZSRQxA/UrAQE/wQgAiy8+ftZI6wKBA/rVdJKMEENH8J4DdVKt f1C/fWA+j2p6OKiW3N/Iekzl8ANGAH+2hjURumJFx79scXtoJkQe1klP0bXAKYIT DlxmkquXY9QVKnNRascL0IeGGfyG/P/YyKbbUuN5t5VboaLPoNbYfnZA4hQ7zwVu GQaZaMT2WCtttgsE8x/ARyb30rK3/WWvQehopATMghD3cSZqB6JEpFsk/qoz7ipP /6G6+oUKbvUZvh7zdSFxRuUbi7Ax5WMl8oGsTm7zQ+maksFYSqShWoOcD6JFsB+n kb0aDOBDyZ2QVG/SkdmUQOMwPQWEF38ihoW3wZb0Q/xwfyhtH9ch3g== =xOUo -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to [EMAIL PROTECTED] The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.