It must be not be much fun to work on Microsoft's Internet Information Services 5.0 (IIS) these days. The first two weeks of May saw the discovery of a number of security flaws in IIS, including ones that might lead to denial of service (DoS) attacks or allow an attacker to take near-total control of a system.
On Tuesday, Microsoft issued yet another patch, this time for IIS version 4.0 (Service Pack 5 and higher) and version 5.0, which will protect against other DoS and takeover attacks, as well as correct problems created by other "fixes."
The new patch, available now at Microsoft's TechNet Web site, fixes three flaws in the IIS software. The first flaw allows an attacker to gain the ability to execute programs on the system by sending a certain sequence of packets of data, though it would not allow the attacker to gain administrator-level privileges. The second problem fixed in the update concerns an FTP (file transfer protocol) DoS which could cause the program to run out of memory, thus causing all connections to shut down. Finally, another issue with FTP services could have allowed an attacker to gain access to "Guest" accounts, though this vulnerability seems to be the most minor.
The new patch also fixes new flaws introduced by three Microsoft patches issued in August 2000 and March 2001. The fix offered by the August patch, Microsoft Security Bulletin MS00-060, had created conditions that would allow an attacker to slow down a system. Two fixes issued in March, MS01-014 and MS01-016, had created potential for a denial of service attack.
The first flaw in IIS was discovered by NSfocus Information Technology Co. Ltd., a Chinese security firm. The two FTP issues were found by Lukasz Luzar of Developers.of.PL and Aiden ORawe. Kevin Kotas, of eSecurityOnline LLC, a security portal, discovered the bugs created by the earlier patches.
The patch issued Tuesday is the third Microsoft has released for its server products in the first two weeks of May.
Two other patches were issued, fixing vulnerabilities in Windows 2000 Server and IIS 5.0 which could lead to the complete takeover of systems by an attacker or a DoS attack, respectively.