Reported March 1, 2001, by Microsoft.

VERSIONS AFFECTED

  • Microsoft IIS Server 5.0

  • Microsoft Exchange 2000 Server

DESCRIPTION

IIS 5.0 and Exchange 2000 servers both contain a flaw that might result in a Denial of Dervice (DoS). By repeatedly sending a URL of a specific construction, a malicious user can cause a memory allocation error resulting in the failure of the IIS service. The Messaging API (MAPI)-based mail clients under Exchange 2000 are not affected, but the IIS service failure can temporarily disrupt the Web-based mail clients until the automatic restart of the affected services. The flaw exists in both the code module of IIS and Exchange 2000. For this reason, Exchange 2000 administrators should apply both available patches that address this vulnerability.

This particular vulnerability does not let the attacker gain administrative control or alter any data on the server. A properly configured Exchange 2000 server would be less at risk than an IIS server due to the Internet Server API (ISAPI) involved in authenticating the user prior to servicing the request.

VENDOR RESPONSE

 Microsoft has issued security bulletin MS01-014 to address this vulnerability.

CREDIT
Discovered by Kevin Kotas of eSecurityOnline.com .