IIS ISAPI Filter PlainText Leak
Reported December 02, 1999 by
Microsoft
VERSIONS AFFECTED
Microsoft IIS 4.0
  • Microsoft Site Server 3.0
  • Microsoft Site Server Commerce Edition 3.0

    DESCRIPTION

    Microsoft reported a vulnerability in the SSL ISAPI filter shipped with Internet Information Server and used by other Microsoft products.

    According to the report, "If called by a multi-threaded application under very specific, and fairly rare, circumstances, a synchronization error in the filter could allow a single buffer of plaintext to be transmitted back to the data"s owner."

    "The SSL ISAPI filter provided as part of IIS supports concurrent use. When used in this mode, a synchronization problem could induce a race condition and cause a single buffer of plaintext to be leaked. The conditions under which this could happen are very rare, and could only occur when a single user"s session was multi-threaded and traffic volumes were extremely high."

    According to Microsoft, the scope of this vulnerability is very limited: "the leaked plaintext would always be sent to its owner, and never another user. Also, because the leaked data would fail its integrity check, the effect of the leak would be to cause the SSL session to immediately collapse. The condition could not be induced by a hostile user, and would offer at best a target of opportunity."

    "Finally, it is worth noting that this vulnerability only affects the SSL
    ISAPI filter, not the secure communications capability provided by Windows NT via Schannel."

    VENDOR RESPONSE

    Microsoft issued a patch for Intel and Alpha, FAQ, and Support Online article Q244613 regarding this matter.

    CREDITS
    Discovered by ?