IIS 101

Since Microsoft released Windows 2000 in December 1999, a handful of security-related fixes have appeared. In this issue, I tell you which patches affect IIS 5.0 and which patches you should install on your key servers. Before I delve in, you need to be aware of some caveats regarding hotfixes. Microsoft releases hotfixes to the public without full regression testing. On the contrary, Microsoft fully tests service packs before release. It’s extremely important, then, for you to take great care in applying hotfixes and be sure to back up your systems before installing them. In general, you should make a full backup on any production system before making changes, regardless of how easy the changes seem.

Hotfix Checking Tool
In September 2000, Microsoft released a great tool that lets you check your IIS 5.0 systems for necessary hotfixes. With this tool, which you can download at http://www.microsoft.com/downloads/release.asp?releaseid=24168, you can periodically or continuously monitor your servers for hotfixes you might need to apply to them. I highly recommend downloading this tool and running it on your servers to see whether you’re missing any important fixes.

Win2K SP1
In July 2000, Microsoft released Service Pack 1 (SP1) for Win2K, which fixed many security vulnerabilities in the OS and IIS. (You can find a list of all the vulnerabilities SP1 fixed at http://www.microsoft.com/technet/security/w2ksp1.asp.) I recommend that everyone running Win2K install SP1 on their production servers. SP1 contains many fixes related to IIS 5.0, and Microsoft released three of these fixes earlier as hotfixes.

As of mid-December 2000, Microsoft had released seven post-SP1 security patches. (You can see a list of all these patches at http://www.microsoft.com/technet/security/current.asp?productid=15.) Let’s examine which vulnerabilities you need to be concerned with.

MS00-044, Absent Directory Browser Argument
In July 2000, Microsoft released a patch for the Absent Directory Browser Argument vulnerability. This vulnerability highlights an administrative script that a malicious user can put into an infinite loop. This script could result in 100 percent CPU utilization and essentially a Denial of Service (DoS) situation.

MS00-057, File Permission Canonicalization
The File Permission Canonicalization vulnerability might let malicious users access files on which you’ve placed restrictive permissions by using a malformed URL that would use the permissions of a directory above the target file. This vulnerability affects only Common Gateway Interface (CGI) or Internet Server API (ISAPI) pages and doesn’t let an intruder enumerate your file structure. Such an attack is difficult to produce, but if you’re concerned about your servers, install the patch.

MS00-058, Specialized Header
The Specialized Header vulnerability lets malicious users view the source code of Web pages if the users use a specialized header and add some characters to the end of the URL string.

According to the Microsoft security bulletin, SP1 includes the fix for this vulnerability.

MS00-060, IIS Cross-Site Scripting
The IIS Cross-Site Scripting vulnerability is fairly complex. This vulnerability lets a third-party Web site inject code into a trusted site. Unknowing users then execute this code and think that the result was something that the Web master put on the trusted Web site. For more information about this vulnerability, see the Microsoft white paper "Information on Cross-Site Scripting Security Vulnerability" (http://www.microsoft.com/technet/security/crssite.asp). I recommend reading up on this vulnerability: It’s very complex, especially if you’re running many forms that might be vulnerable. Be sure to install the patch to prevent this vulnerability on your site.

MS00-078, Web Server Traversal
The Web Server Traversal vulnerability lets malicious users add, change, or remove data and Web pages from your server. The patch for the File Permission Canonicalization vulnerability fixes this bug, too. I highly recommend this patch for any publicly accessible server.

MS00-080, Session ID Cookie Marking
The Session ID Cookie Marking vulnerability lets malicious users hijack a secure session by using a matching session ID from a nonsecure session. Microsoft has admitted that this bug resulted from a lack of compliance with Internet Engineering Task Force (IETF) Request for Comments (RFC) 2109 on secure session IDs. (For more information about secure session IDs, see the full RFC at http://www.cis.ohio-state.edu/htbin/rfc/rfc2109.html.)

However, the user is extremely unlikely to meet the conditions for launching this type of attack because the user would need to have control over the secure session. I recommend waiting until Microsoft releases SP2 for this one. (At the time of this article’s publication, there was no estimated release time for SP2.)

MS00-086, Web Server File Request Parsing
The Web Server File Request Parsing vulnerability lets malicious users execute Win2K commands on a Web server. Unfortunately, this attack is simple to carry out. Usually, when IIS receives a request for an executable file, IIS passes the executable file request to the OS to execute. This new flaw lets malicious users add one or more OS commands to these requests. I recommend that you install this patch as soon as possible to avoid such attacks.

Keep Up with Security
In addition to these vulnerabilities, I recommend making Microsoft’s security page (http://www.microsoft.com/security) one of your favorite bookmarks; visit the site at least once a month, and make sure you’re not at risk with any of the products you use in your environment. Also, monitor other major security sites, such as SecurityFocus.com (http://www.securityfocus.com), Windows IT Security (http://www.windowsitsecurity.com), and NTBugtraq (http://www.ntbugtraq.com).