Original release date: June 16, 1999<BR> Last revised: June 18, 1999<BR> Source: CERT/CC<BR> <P>A complete revision history is at the end of this file. <H3>Systems Affected</H3> <UL> <LI>Machines running Microsoft Internet Information Server 4.0 </UL> <H2>I. Description</H2> <P>Buffer overflow vulnerabilities affecting Microsoft Internet Information Server 4.0 have been discovered in several libraries, including libraries that handle .HTR, .STM, and .IDC files. <P>A tool to exploit at least one of the vulnerabilities has been publicly released. <H2>II. Impact</H2> <P>These vulnerabilities allow remote intruders to execute arbitrary code with the privileges of the IIS server. Additionally, intruders can use this vulnerability to crash vulnerable IIS processes. <H2>III. Solution</H2> <P>Microsoft has released and updated Microsoft Security Bulletin MS99-019, which points to a patch for these vulnerabilities. We encourage you to read this bulletin, available from <DL><DD> <A HREF="http://www.microsoft.com/security/bulletins/ms99-019.asp"> http://www.microsoft.com/security/bulletins/ms99-019.asp</A> </DL> <P>We will update this advisory as more information becomes available. Please check the CERT/CC Web site for the most current revision. <hr> <p> Our thanks to Jason Garms and Scott Culp of Microsoft for providing information contained in this advisory. <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 1999 Carnegie Mellon University.</p> <HR> Revision History <PRE> June 16, 1999: Initial release June 18, 1999: Added information about .STM and .IDC files. </PRE> |