HomeIT Management

Microsoft Posts New Security Patch

InternetNews Staff
By InternetNews Staff

Microsoft Corp.
has released a security patch to address vulnerabilities in its Internet
Information Server that could allow denial of service attacks to be mounted
against Web servers.


The potential security hole involves the HTTP GET method, which is used to
obtain information from an IIS server. A malicious request could create a
denial of service attack that consumes all server resources, causing a
server to hang and become unresponsive.


Internet developer Brian Steele discovered the attack while doing a proxy
test last week on a Windows NT server running Microsoft Proxy 2.0. After
configuring the server, Steele invited participants on a system
administrator’s mailing list to try and penetrate it.


Steele said the server survived all break-in attempts until Eugene Kalinin
of Russia launched an attack that consisted of sending a continuous GET
request to the proxy server. The server responded by continuously setting
aside memory to story the request. This machine got caught in a spiral
until the server ran out of memory and essentially became unusable.


After discovering the attack, Steele reported it to Microsoft who confirmed
the problem and began working on a fix.


The patch, posted late Monday, repairs the glitch although Microsoft was
quick to point out no attacks have actually been reported. Microsoft said
versions 3.0 and 4.0 of the Internet Information Server running on IBM
compatible and DEC Alpha-based machines are affected.


Microsoft said the server can often be put back into service by restarting
the operating system or by rebooting. The software giant said the situation
cannot happen accidentally, rather the requests must be sent deliberately
to the sever. The potential problem does not allow data to be compromised
and does not allow hacks to pose as system administrators.


More information on the problem and the patch that repairs it can be
downloaded here.


Microsoft said it would provide technical support for the patch, which it
conceded has not been fully tested. A refined version of the patch will be
part of the next Windows NT service pack.

InternetNews Staff
InternetNews Staff
Previous article
Zip2 Announces New Sales and Marketing Team
Next article
Barclays Merchant Services Signs With CyberCash

Similar Posts

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

Advertisers

Advertise with TechnologyAdvice on InternetNews and our other IT-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2024 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.