Microsoft Corp.
has released a security patch to address vulnerabilities in its Internet
Information Server that could allow denial of service attacks to be mounted
against Web servers.
The potential security hole involves the HTTP GET method, which is used to
obtain information from an IIS server. A malicious request could create a
denial of service attack that consumes all server resources, causing a
server to hang and become unresponsive.
Internet developer Brian Steele discovered the attack while doing a proxy
test last week on a Windows NT server running Microsoft Proxy 2.0. After
configuring the server, Steele invited participants on a system
administrator’s mailing list to try and penetrate it.
Steele said the server survived all break-in attempts until Eugene Kalinin
of Russia launched an attack that consisted of sending a continuous GET
request to the proxy server. The server responded by continuously setting
aside memory to story the request. This machine got caught in a spiral
until the server ran out of memory and essentially became unusable.
After discovering the attack, Steele reported it to Microsoft who confirmed
the problem and began working on a fix.
The patch, posted late Monday, repairs the glitch although Microsoft was
quick to point out no attacks have actually been reported. Microsoft said
versions 3.0 and 4.0 of the Internet Information Server running on IBM
compatible and DEC Alpha-based machines are affected.
Microsoft said the server can often be put back into service by restarting
the operating system or by rebooting. The software giant said the situation
cannot happen accidentally, rather the requests must be sent deliberately
to the sever. The potential problem does not allow data to be compromised
and does not allow hacks to pose as system administrators.
More information on the problem and the patch that repairs it can be
downloaded here.
Microsoft said it would provide technical support for the patch, which it
conceded has not been fully tested. A refined version of the patch will be
part of the next Windows NT service pack.