Microsoft Security Bulletin (MS00-028)

[secnotif () MICROSOFT COM (Microsoft Product Security)]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

Microsoft Security Bulletin (MS00-028)
- --------------------------------------

Procedure Available to Eliminate "Server-Side Image Map Components"
Vulnerability

Originally Posted: April 21, 2000

Summary
=======
A procedure is available to eliminate a security vulnerability
affecting several web server products. The vulnerability could
potentially allow a malicious web site visitor to perform actions that
the system permissions authorize him to perform, but  which he
previously may have had no means of actually carrying out.

Frequently asked questions regarding this vulnerability and the
remediation for it can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-028.asp

Issue
=====
The FrontPage 97 and 98 Server Extensions include two components,
Htimage.exe and Imagemap.exe, that provide CERN- and  NCSA-compliant
server side image mapping support, respectively, for legacy browsers.
Both components contain unchecked  buffers that could be used to run
arbitrary code. Although part of the Server Extensions, these
components also install as  part of several other web server products.

The risk posed by this vulnerability is significantly restricted by
the fact that the affected components run "out of  process" and in the
security context of the user. Thus, there is no capability through
this vulnerability to cause either the  web service or the server
itself to crash, nor is there an opportunity to run code in an
elevated security context. However,  it still could be possible for a
malicious user to perform actions that, though permitted, he would
otherwise be unable to  take because the functionality was not exposed
via a web page or script.

Affected Software Versions
==========================
The affected components are part of the FrontPage 97 and 98 Server
Extensions. However, they also are distributed with  several other web
server products. The complete list of products in which these
components ship is:
 - FrontPage 97 Server Extensions, which ship as part of FrontPage 97
 - FrontPage 98 Server Extensions, which ship as part of FrontPage 98
 - Microsoft(r) Windows NT(r) 4.0 Option Pack, which is the primary
   distribution mechanism for Internet Information Server 4.0
 - Personal Web Server 4.0, which ships as part of Windows(r) 95
   and 98

Remediation
===========
To eliminate this vulnerability, customers who are hosting web sites
using any of the affected products should delete all  copies of the
files Htimage.exe and Imagemap.exe from their servers. The FAQ
provides step-by-step instructions for doing  this. The only
functionality lost by deleting the file is the ability to support
image mapping for web site visitors using  legacy browser products.

ISPs and other customers who allow others to self-manage web sites
should be aware that users who use FrontPage 97 or 98 to  manage their
sites could unknowingly re-introduce the affected components onto
their sites when they upload content to it.  This would not endanger
the server at large, but could nevertheless be cause for concern. The
FAQ discusses how to use  functionality provided as part of the Server
Extensions to prevent this from happening.

More Information
================
Please see the following references for more information related to
this issue.
 - Frequently Asked Questions: Microsoft Security Bulletin MS00-028,
   http://www.microsoft.com/technet/security/bulletin/fq00-028.asp
 - Microsoft Knowledge Base article Q260267 discusses this issue and
   will be available soon.
 - Microsoft TechNet Security web site,
   http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue
===============================
Information on contacting Microsoft Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
 - April 21, 2000: Bulletin Created.

- ----------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT  DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR  PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT,  INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.

Last updated April 21, 2000

(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQEVAwUBOQDQkI0ZSRQxA/UrAQEKcgf9Ejn3jVZISZYVY774xgsZZlyT/t0XIlX9
PPR0PRc0wHlis2vub/dmAILchL5Pf4cUnveDvJbkySrz5TlX6zIDEPbGROWpYO7f
/BAgKFhQJ0oBdkOyWsrV73l9C5cVN8znboBp83hnmO0q4cbQB+AXcbIIuLTzKzpa
0EGD9/b2ENqnWF1OAQ6sE7fdBJM0Qlp+/Gh5b+FUQRUlYs/jQDXx6rpdM8J3Qeyx
2pHJLcJ0BAB0G0UgZSxfKRqieXgrYbZxHa7Z63osJ3nwiZkpaLBXmMmXSp933tXR
ulzcGy+mUHdPWyDnbSig7FiuOq/AEFkZ9ygtdiG97asqY9/uv3zc8w==
=mrV7
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.