NT IIS 2.0 Bug -- Fix available.

[Russ.Cooper () RC on ca (Russ)]

All,
*
After Service Pack 1 for Windows NT 4.0 was released, a bug was found
in Internet Information Server 2.0 (HTTP, FTP, Gopher server) that
would permit someone to easily crash IIS (not NT) via an HTTP command.
Yesterday, the information on how to crash IIS was sent out to a
variety of mailing lists. The result is that a lot of people have this
information in their hands, to do with as they please.
*
A fix has been made available by Microsoft. This fix is to be included
in their next service pack for NT (SP2) which is due out around Dec.
20th. In the meantime, Service Pack 1 has been revised to include this
fix and is available via anonymous FTP from;
*
ftp://ftp.microsoft.com/transfer/outgoing/bussys/mail/sp1a.zip
*
I strongly recommend that any NT 4.0 IIS site, which is exposed to
untrusted networks, should review and apply the above service pack as
soon as possible.
*
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ.Cooper () RC on ca <-- *note the new address*


Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ.Cooper () RC on ca <-- *note the new address*