Re-release of Patch for "Double Byte Code Page" Vulnerability

[aleph1 () UNDERGROUND ORG (Aleph One)]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

Re-release of Patch for "Double Byte Code Page" Vulnerability
-------------------------------------------------------------

August 20, 1999

Issue
=====
Microsoft has identifed and corrected a regression error in the IIS 4.0
version of the previously-released patch for the "Double Byte Code Page"
vulnerability.  The corrected patch has been re-released, and an updated
security bulletin is available at
http://www.microsoft.com/security/bulletins/ms99-022.asp.

Details
=======
Shortly after releasing the patch for the "Malformed HTTP Request Header"
vulnerability (http://www.microsoft.com/Security/Bulletins/ms99-029.asp),
Microsoft discovered a regression error in it.  We investigated all
previously-released patches to determine whether any others were affected by
the error, and discovered that one other patch was affected -- the IIS 4.0
version of the patch for the "Double Byte Code Page" vulnerability. On
August 16, 1999, we re-released the patch for the "Malformed HTTP Request
Header" vulnerability, and today are re-releasing the patch for the "Double
Byte Code Page" vulnerability.  We have verified that no other security
patches are affected by this vulnerability, and have corrected our code base
to eliminate the error from all future IIS 4.0 releases.

The regression error is completely unrelated to the vulnerabilities, and
does not change our diagnosis of either.  The error occurs if the IIS log
file grows to a size that is an exact multiple of 64KB; if this happens, the
server will hang.  The problem can be resolved by stopping the IIS service,
starting a new log file, and restarting the IIS service.  The regression
error affected only IIS 4.0, and was introduced after Windows NT 4.0 Service
Pack 5.

How to Identify the Re-released Patches
=======================================
 - The re-released patches for the "Double Byte Code Page" are
   timestamped August 17, 1999.  (Please note that the IIS 3.0 patches
   were unaffected by the regression error, so they are still
   timestamped June 24, 1999).
 - The re-released patches for the "Malformed HTTP Request Header"
   are timestamped August 12, 1999.

What Customers Should Do
========================
You do not need to take any action if ANY of the following apply to you:
 - You are running IIS 3.0.
 - You have not installed any IIS 4.0 patches released after
   Windows NT 4.0 Service Pack 5.
 - You have installed the re-released patch for the "Malformed HTTP
   Request Header" vulnerability.

You need to take action if ALL of the following apply to you:
 - You applied the original version of either the "Double Byte Code Page"
   patch or the "Malformed HTTP Request Header" patch.
 - You have not applied the re-released version of either patch.

If you need to take action, you should apply the re-released patches for
either the "Maformed HTTP Request Header" or "Double Byte Code Page"
vulnerabilities.  Applying either of the patches will correct the error.
It's not necessary to "back out" either of the original patches; just
download the new version of either patch and install it.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

---------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.