-----BEGIN PGP SIGNED MESSAGE-----
Title: Cumulative Patch for Internet Information Service
(Q327696)
Date: 30 October 2002
Software: Internet Information Service
Impact: Four vulnerabilities, the most serious of which
could enable applications on a server to gain
system-level privileges.
Max Risk: Moderate
Bulletin: MS02-062
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-062.asp.
This patch is a cumulative patch that includes the functionality of
all security patches released for IIS 4.0 since Windows
NT 4.0 Service Pack 6a, and all security patches released to date for
IIS 5.0 and 5.1. A complete listing of the patches
superseded by this patch is provided below, in the section titled
"Additional information about this patch". Before applying
the patch, system administrators should take note of the caveats
discussed in the same section.
In addition to including previously released security patches, this
patch also includes fixes for the following newly
discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or
5.1:
In addition, the patch causes 5.0 and 5.1 to change how frequently
the socket backlog list - which, when all connections on a
server are allocated, holds the list of pending connection requests -
is purged. The patch changes IIS to purge the list more
frequently in order to make it more resilient to flooding attacks.
The backlog monitoring feature is not present in IIS 4.0.
Out of Process Privilege Elevation:
WebDAV Denial of Service:
(http://www.microsoft.com/technet/security/tools/tools/locktool.asp),
if deployed in its default configuration, disables such requests.
Script Source Access Vulnerability:
Cross-site Scripting in IIS Administrative Pages:
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPcA8dY0ZSRQxA/UrAQEvXggAjQWxW2TenrmT2UjlUQEfdWjVn1lBgqxI
iR1eoLWfx2LiJjhRU0LvQ0cGcwe/4EbSfv6AjpMue7PUch7W4O01mnLgjzgRhr/p
E4CYsGMpHq32oy1k6O1EElejmjpC5hC+7VTud1WOzLuxdnnKa8LcXpTcNtuLY5X8
f+0ClRuWIzC9gT4SOjdA0yUb0fRZwTEZRIQFRNbNmBDA0LfqpLOKagRGSbzSI4M1
h+n2KZv87BJdGvfAHWfn/a/s/r4bZr9gjXQzwFKp76jKUfmEw8otnC0XY5BFfzlL
Iu36V0Jo/oCe2FdVmsmh3qYdrdIS4Q/c/07kI8+KSLih6gpRYMisng==
=41ML
-----END PGP SIGNATURE-----
You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.
For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at
http://www.microsoft.com/technet/security/notify.asp.
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at
http://register.microsoft.com/regsys/pic.asp
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email
as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at
http://www.microsoft.com/security.