Deformity URL can cause IIS 5.0 and Exchange 2000 stop service
(Transferred from Green Meng Technology)
Release Date: 2001-3-13
Update Date: 2001-3-13
Affected system:
Microsoft Internet Information SERVICES 5.0
Microsoft Exchange 2000
description:
-------------------------------------------------- ------------------------------
IIS 5.0 There is a security vulnerability. If a URL is carefully constructed, its length is in a specific
In the range, an attacker submits such a URL to the affected system, which may result in IIS memory
The assignment is an error, making the IIS service failed.
Exchange 2000 also received the impact of the same problem. In order to support web-based Mail clients,
ExcahNGE 2000 also provides features accessible through the URL. This feature part passes IIS 5.0
Realize, the other part exists in ExcahNGE 2000. But these two part of the code have this vulnerability
However, attacks can only make IIS fail, and cannot cause hazards for Exchange services. The result is only used
Buyers can no longer use web-based mail clients to access Exchange, use MAPI-based
Mail client, such as Outlook, can still access Exchange.
IIS 5.0 will automatically restart after receiving the attack, so it will return to normal operation after the attack is stopped.
<* Source: Kevin Kotas of EsecurityOnline.com (http://esecurityonline.com)
Microsoft Security Announcement (MS01-014): http://www.microsoft.com/technet/security/bulletin/ms01-014.asp
*>
-------------------------------------------------- ------------------------------
Suggest:
Vendor patch:
Microsoft has released a safety announcement (MS01-014) and corresponding patches for this.
Microsoft Security Announcement (MS01-014):
Http://www.microsoft.com/technet/security/bulletin/ms01-014.asp
Patch download:
Microsoft IIS 5.0:
http://www.microsoft.com/downloads/release.asp?releaseid=28155
Microsoft Exchange 2000:
http://www.microsoft.com/downloads/release.asp?releaseid=28369
Note: Exchange 2000 administrators should all install two patches above