Specifications
SAFER – Vol. 3, Issue 6 37 © 2000 The Relay Group
Microsoft Security Bulletin (MS00-034)
Released May 12, 2000
Affects Microsoft Office 2000
Reference http://www.microsoft.com/technet/security/bulletin/fq00-034.asp
Problem
- An ActiveX control that ships as part of Office 2000 is incorrectly marked as "safe for scripting".
This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and
allows Office functions to be scripted. A malicious web site operator could use the control to carry
out Office functions on the machine of a user who visited his site.
- The control ships only as part of Office 2000 (and Office 2000 family members, as listed below).
The patch removes all unsafe functionality, with the result that the "Show Me" function will be
disabled in Office 2000.
SAFER
- Microsoft has released a patch.
Microsoft Security Bulletin (MS00-030)
Released May 11, 2000
Affects Microsoft Internet Information Server 4.0, 5.0
Reference http://www.microsoft.com/technet/security/bulletin/fq00-030.asp
Problem
- In compliance with RFC 2396, the algorithm in IIS that processes URLs has flexibility built in to
allow it to process any arbitrary sequence of file extensions or subresource identifiers (referred to
in the RFC as path_segments). By providing an URL that contains especially malformed file
extension information, a malicious user could misuse this flexibility in order to arbitrarily increase
the work factor associated with parsing the URL. This could consume much or all of the CPU
availability on the server and prevent useful work from being done.
- The vulnerability does not provide any capability to cause the server to fail, or to add, change or
delete data on it. Likewise, it provides no capability to usurp administrative control of the web
server. The slowdown would only last until the URL had been processed, at which point service
would return to normal.
SAFER
- Microsoft has released a patch.
ISS Security Advisory: Microsoft IIS Remote Denial of Service Attack
Released May 11, 2000
Affects Microsoft IIS 4.0 and 5.0
Reference http://www.iss.net/
Problem
- The vulnerability exists primarily in IIS 4.0 and to a limited extent in 5.0. IIS uses IISADMPWD
virtual directory to give users the ability to change passwords. When IIS is installed, it creates the
directory %system32%\inetsrv\iisadmpwd that contains .htr files used for web-based password
administration. Only when the virtual directory IISADMPWD is created does the ability to change
passwords become enabled.
- On vulnerable systems, an attacker can send a malformed request to force inetinfo.exe to utilize
100% of the CPU and adversely affect the ability of IIS to field requests. After the vulnerability has
been exploited, the inetinfo.exe process cannot be stopped, requiring a full reboot of the server to
regain functionality. The effect on IIS 5.0 is not as severe. If the vulnerability is exploited against
this version of IIS, access to any .htr file on the server fails. CPU utilization does not increase to
100% as it does in version 4.0.
SAFER
- Microsoft has made patches available for IIS versions 4 and 5.