on Wednesday slapped an “important” rating on a cumulative patch that fixes four new security holes found in its Internet Information Server (IIS) versions 4.0 through 5.1.
A security alert from the Redmond, Wash.-based company said the cumulative patch should be applied immediately by customers hosting Web
servers using Windows NT 4.0, Windows 2000 or Windows XP.
Microsoft IIS version 6.0 is not affected.
The most serious vulnerability, which would allow an attacker to execute code of their choice, was found in Cross-Site Scripting (CSS) and involves the error message that’s returned to advise that a requested URL has been redirected.
Microsoft explained that an attacker could trick a user into going to a Web site containing specially crafted script to render false security settings.
The cumulative patch also fixes a buffer overrun that results because IIS 5.0 does not correctly validate requests for certain types of web pages. “An attacker would need the ability to upload a server-side include page to a vulnerable IIS server. If the attacker then requested this page, a buffer overrun could result, which would allow the attacker to execute code of their choice on the server with user-level permissions,” the company warned.
The patch also covers two denial-of-service
vulnerabilities in IIS 4.0, IIS and IIS 5.1.
Microsoft cautioned that the cumulative patch requires the installation
of a previous patch.
Separately, the company also warned of a flaw in the ISAPI (Internet Server Application Programming Interface)
In an advisory, Microsoft said the flaw was
detected in the way nsiislog.dll processes incoming requests to the
ISAPI extension. It would allow an attacker to send specially formed
communications to the server that could cause IIS to stop responding to
Windows Media Services is a feature of the company’s Windows 2000 Server,
Advanced Server, and Datacenter Server. It contains support for a method of
delivering multicast streaming.