FP2000: MS01-035: Potential Buffer Overrun Vulnerability in Visual Studio RAD (Remote Application Deployment) (300477)


The information in this article applies to:

  • FrontPage 2000 Server Extensions from Microsoft
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
This article was previously published under Q300477

SUMMARY

Microsoft Internet Information Server 4.0 and Internet Information Services 5.0 (IIS) include the FrontPage Server Extensions to facilitate the development of Web sites and Web-based applications. The FrontPage Server Extensions include an optional subcomponent for development servers called Visual Studio RAD (Remote Application Deployment). If you install this optional component on a computer during the installation of Microsoft Windows 2000, you receive the following message:

You have chosen to install Visual InterDev RAD Remote Deployment Support. You should do this only on development servers, because RAD lets authors register server components and modify the COM+ settings, affecting the state of the running server. If you install RAD Remote Deployment Support, you should regularly review the permissions settings of your FrontPage webs to ensure that no unwanted authors have obtained authoring privileges.

This subcomponent allows Visual InterDev users to register and unregister programming components on the IIS server. This subcomponent contains an unchecked buffer in a section that processes input information.

Although it is unlikely, an attacker could potentially exploit this vulnerability against any server on which the affected subcomponent is installed, by connecting to a Web session on the server and passing a specially malformed packet to the system. For additional information about the latest service pack for Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

MORE INFORMATION

A more detailed explanation and a supported fix are available in the following Microsoft Security Bulletin, MS01-035:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-035.mspx

This patch is available in the Windows 2000 Security Rollup Package 1 (SRP1) or individually via the links below. For additional information on SRP1, click the article number below to view the article in the Microsoft Knowledge Base:

311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002

For additional information about security topics, browse to the following Microsoft TechNet Security Web site:

http://www.microsoft.com/technet/security/

Modification Type:MinorLast Reviewed:9/23/2005
Keywords:kbHotfixServer kbQFE kbinfo kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB300477
©2004 Microsoft Corporation. All rights reserved.