RealTime IT News

Microsoft Posts New Security Patch

Microsoft Corp. has released a security patch to address vulnerabilities in its Internet Information Server that could allow denial of service attacks to be mounted against Web servers.

The potential security hole involves the HTTP GET method, which is used to obtain information from an IIS server. A malicious request could create a denial of service attack that consumes all server resources, causing a server to hang and become unresponsive.

Internet developer Brian Steele discovered the attack while doing a proxy test last week on a Windows NT server running Microsoft Proxy 2.0. After configuring the server, Steele invited participants on a system administrator's mailing list to try and penetrate it.

Steele said the server survived all break-in attempts until Eugene Kalinin of Russia launched an attack that consisted of sending a continuous GET request to the proxy server. The server responded by continuously setting aside memory to story the request. This machine got caught in a spiral until the server ran out of memory and essentially became unusable.

After discovering the attack, Steele reported it to Microsoft who confirmed the problem and began working on a fix.

The patch, posted late Monday, repairs the glitch although Microsoft was quick to point out no attacks have actually been reported. Microsoft said versions 3.0 and 4.0 of the Internet Information Server running on IBM compatible and DEC Alpha-based machines are affected.

Microsoft said the server can often be put back into service by restarting the operating system or by rebooting. The software giant said the situation cannot happen accidentally, rather the requests must be sent deliberately to the sever. The potential problem does not allow data to be compromised and does not allow hacks to pose as system administrators.

More information on the problem and the patch that repairs it can be downloaded here.

Microsoft said it would provide technical support for the patch, which it conceded has not been fully tested. A refined version of the patch will be part of the next Windows NT service pack.