Original release date: June 16, 1999<BR>
Last revised: June 18, 1999<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<UL>
<LI>Machines running Microsoft Internet Information Server 4.0
</UL>

<H2>I. Description</H2>

<P>Buffer overflow vulnerabilities affecting Microsoft Internet
Information Server 4.0 have been discovered in several libraries,
including libraries that handle .HTR, .STM, and .IDC files.


<P>A tool to exploit at least one of the vulnerabilities has been publicly
released. 

<H2>II. Impact</H2>

<P>These vulnerabilities allow remote intruders to execute arbitrary
code with the privileges of the IIS server.  Additionally, intruders
can use this vulnerability to crash vulnerable IIS processes.

<H2>III. Solution</H2>

<P>Microsoft has released and updated Microsoft Security Bulletin
MS99-019, which points to a patch for these vulnerabilities.  We
encourage you to read this bulletin, available from

<DL><DD>
  <A HREF="http://www.microsoft.com/security/bulletins/ms99-019.asp">
  http://www.microsoft.com/security/bulletins/ms99-019.asp</A>
</DL>

<P>We will update this advisory as more information becomes available.
Please check the CERT/CC Web site for the most current revision.

<hr>
<p>
Our thanks to Jason Garms and Scott Culp of Microsoft for providing
information contained in this advisory.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
June 16, 1999:  Initial release
June 18, 1999:	Added information about .STM and .IDC files. 
</PRE>