DOCUMENT:Q241127  08-MAY-2002  [iis]
TITLE   :ASP Uses SYSTEM Account to Release User Object
PRODUCT :Internet Information Server
PROD/VER:winnt:4.0
OPER/SYS:
KEYWORDS:

======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Internet Information Server version 4.0 
-------------------------------------------------------------------------------

SYMPTOMS
========

The ATL COM object can be instantiated and its functions can be invoked in an
ASP page. ASP uses the credential of the user who accesses the page to run the
functions in the object. ASP uses the SYSTEM account to release the object when
it is out of scope. Using the SYSTEM account to release the object causes a
potential security problem.

CAUSE
=====

ASP reverts to the SYSTEM account earlier than it should.

RESOLUTION
==========

A supported fix is now available from Microsoft, but it is only intended to
correct the problem described in this article and should be applied only to
systems experiencing this specific problem. This fix may receive additional
testing at a later time, to further ensure product quality. Therefore, if you
are not severely affected by this problem, Microsoft recommends that you wait
for the next Windows NT service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information about support costs, please go to the following
address on the World Wide Web:

   http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are normally incurred for support calls may
be canceled, if a Microsoft Support Professional determines that a specific
update will resolve your problem. Normal support costs will apply to additional
support questions and issues that do not qualify for the specific update in
question.

The English version of this fix should have the following file attributes or
later:

   Date      Time                 Size    File name     Platform
   -------------------------------------------------------------
   08/20/99  02:13p               329,024 asp.dll       (x86)
   08/20/99  02:11p                43,456 coadmin.dll   (x86)
   08/20/99  02:13p                11,168 ftpctrs2.dll  (x86)
   08/20/99  02:13p                81,888 ftpsvc2.dll   (x86)
   08/20/99  01:22p                11,396 httpext.h     (x86)
   08/20/99  02:12p                17,424 iisadmin.dll  (x86)
   08/20/99  02:11p                62,960 iislog.dll    (x86)
   08/20/99  02:12p                16,848 infoadmn.dll  (x86)
   08/20/99  02:12p               184,736 infocomm.dll  (x86)
   08/20/99  02:12p                29,520 iscomlog.dll  (x86)
   08/20/99  02:12p                11,248 iwrps.dll     (x86)
   08/20/99  02:11p                71,232 metadata.dll  (x86)
   08/20/99  02:12p                51,296 nsepm.dll     (x86)
   08/20/99  02:12p                14,752 w3ctrs.dll    (x86)
   08/20/99  02:12p               229,008 w3svc.dll     (x86)
   08/20/99  02:12p                87,504 wam.dll       (x86)

   08/20/99  02:13p               549,648 asp.dll       (Alpha)
   08/20/99  02:11p                77,072 coadmin.dll   (Alpha)
   08/20/99  02:12p                17,168 ftpctrs2.dll  (Alpha)
   08/20/99  02:12p               126,736 ftpsvc2.dll   (Alpha)
   08/20/99  01:25p                11,396 httpext.h     (Alpha)
   08/20/99  02:11p                28,432 iisadmin.dll  (Alpha)
   08/20/99  02:11p               112,400 iislog.dll    (Alpha)
   08/20/99  02:11p                25,872 infoadmn.dll  (Alpha)
   08/20/99  02:11p               303,888 infocomm.dll  (Alpha)
   08/20/99  02:11p                45,840 iscomlog.dll  (Alpha)
   08/20/99  02:12p                16,656 iwrps.dll     (Alpha)
   08/20/99  02:10p               131,856 metadata.dll  (Alpha)
   08/20/99  02:11p                87,824 nsepm.dll     (Alpha)
   08/20/99  02:12p                21,264 w3ctrs.dll    (Alpha)
   08/20/99  02:12p               385,296 w3svc.dll     (Alpha)
   08/20/99  02:11p               149,264 wam.dll       (Alpha)



STATUS
======

Microsoft has confirmed this to be a problem in Internet Information Server 4.0.

Additional query words: asp security

======================================================================
Keywords          :  
Technology        : kbiisSearch kbiis400
Version           : winnt:4.0
Hardware          : ALPHA x86
Issue type        : kbbug
Solution Type     : kbfix

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 2002.