Bugtraq mailing list archives
Microsoft Security Bulletin MS01-016
From: Microsoft Product Security <secnotif () MICROSOFT COM>
Date: Thu, 8 Mar 2001 14:16:19 -0800
The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources Date: 08 March 2001 Software: IIS 5.0 Impact: Denial of Service Bulletin: MS01-016 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-016.asp. - ---------------------------------------------------------------------- Issue: ====== WebDAV is an extension to the HTTP protocol that allows remote authoring and management of web content. In the Windows 2000 implementation of the protocol, IIS 5.0 performs initial processing of all WebDAV requests, then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such requests were directed at an affected server, it would consume all CPU availability on the server. Because the discoverer of this vulnerability has chosen to publish code to exploit this vulnerability before a patch could be developed, Microsoft has developed a workaround that can be used to defend against attack. Knowledge Base article Q241520 provides step-by-step instructions for changing the permissions on the .DLL that provides WebDAV services in order to effectively disable it on the machine. When a patch is available, we will re-release this bulletin and provide updated information. Microsoft recommends that customers consider applying the workaround to any servers running IIS 5.0. Although this obviously includes web servers, other services, notably Exchange 2000, may also require that IIS 5.0 be enabled. Mitigating Factors: ==================== - The effect of an attack via this vulnerability would be temporary. The server would automatically resume normal service as soon as the malformed requests stopped arriving. - The vulnerability does not provide an attacker with any capability to carry out WebDAV requests. - The vulnerability does not provide any capability to compromise data on the server or gain administrative control over it. Patch Availability: =================== - A patch is currently under development and will be released shortly. In the meantime, Knowledge Base article Q241520 (http://www.microsoft.com/technet/support/kb.asp?ID=241520) provides a workaround that can be used to protect against this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-016.asp for more information on this vulnerability. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOqgEso0ZSRQxA/UrAQEfuAf7B/9Ba0KygUxx4GYoPaNQu6mmwlJ7nQy1 firxtPeQPSaNriq8mHKPPh1lvWrlSX0iCaIA4UP7bS7By94NBAwGB4h0vmcmwAvT bL0U0bPJZRPeRs7OQpkztzOLUlmCbvHHK7QoHhQ+QY7TmNzM6uXjXJ/jVJZVPZpo a3gKPrRyR0gXPzN2g10i4rHMKGROe+yRWmQvTh4lRXMATD0d59H5me1MvVbGSa5W pNnKbeOZPpphQVMIqjZflNaLko7ccUjL4Wu/ldNUl31bQGdZkB2izoqieuhwU1mQ F2wfVzLkBmQF+CLooFtzurX9FVvTbwOys3ZPVWitZILUL3dvmbs+RQ== =zZRX -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Current thread:
- Microsoft Security Bulletin MS01-016 Microsoft Product Security (Mar 09)