Malformed "GET" URLs Can Crash IIS
Reported December 21, 1998 by Eugene Kalinin and Brian Steele


  • Internet Information Server 3.0 and 4.0


Malformed URLs consisting of the GET statement and other erroneous data can cause the IIS service to consume all available resources and render the service unresponsive.


Information about the problem resides in Knowledge Base article Q192296, "IIS: Patch Available for IIS "GET" Vulnerability."

Microsoft has released the following hot fixes:

IIS 3.0 on Intel platforms:

IIS 3.0 on Alpha platforms:


IIS 4.0 on Intel platforms:

IIS 4.0 on Alpha platforms:

To learn more about NT Security concerns, subscribe to NTSD

- Originally reported by Eugene and Brian via Microsoft
- Posted on The NT Shop on December 21, 1998