MS02-062: October 2002 Cumulative Patch for Internet Information Services (327696)


The information in this article applies to:

  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0
This article was previously published under Q327696

SYMPTOMS

Microsoft has released a cumulative patch for Internet Information Server (IIS) 4.0, Internet Information Services (IIS) 5.0, and IIS 5.1 that includes updates for the issues that are described in the following Microsoft Knowledge Base articles:

321599 MS02-028: Heap overrun in HTR chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

This patch includes not only previously released security patches, but also fixes for the following newly discovered security vulnerabilities that affect IIS 4.0, 5.0, and 5.1:
  • A privilege elevation vulnerability that affects the way ISAPIs are started when an IIS 4.0, 5.0, or 5.1 server is configured to run them out of process. By design, the hosting process (Dllhost.exe) runs only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise.
  • A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request is malformed in a particular way, IIS allocates an extremely large amount of memory on the server. By sending several such requests, an attacker can cause the server to fail.
  • A vulnerability that involves the operation of the script source access permission in IIS 5.0. This permission operates in addition to the typical read/write permissions for a virtual directory, and regulates whether scripts, .ASP files, and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types that are subject to this permission omits .COM files from the list of files subject to the permission. As a result, a user needs only write access to upload such a file.
  • A pair of Cross-Site Scripting (CSS) vulnerabilities that affect IIS 4.0, 5.0, and 5.1, and involve the administrative Web page. Each of these vulnerabilities has the same scope and effect: when a user clicks a link on an attacker's Web site, the attacker can relay a request that contains script to a third-party Web site that is running IIS, thereby causing the third-party site's response (which still includes the script) to be sent to the user. The script then renders using the security settings of the third-party site instead of the attacker's site.
Additionally, the patch causes IIS 5.0 and 5.1 to change how frequently the socket backlog list - which, when all connections on a server are allocated, holds the list of pending connection requests - is cleared. The patch changes IIS to clear the list more frequently to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0.

Note These patches do not include fixes for vulnerabilities involving non-IIS products, such as the Microsoft FrontPage Server Extensions and Microsoft Index Server, although these products are closely associated with IIS and are typically installed on IIS servers. There is, however, one exception. The fix for the vulnerability that affects Index Server, which is discussed in Microsoft Security Bulletin MS01-033, is included in this patch because of the seriousness of the issue for IIS servers. At the time that this article was written, the Microsoft Security Bulletins that discuss these vulnerabilities are as follows:

Microsoft Security Bulletin MS01-043

Microsoft Security Bulletin MS01-025

Microsoft Security Bulletin MS00-084

Microsoft Security Bulletin MS00-018

Microsoft Security Bulletin MS00-006

All the previously listed fixes and cumulative patches are included in Windows 2000 Service Pack 3. For additional information about the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Note The fixes for the following vulnerabilities that affect IIS 4.0 are not included in the patch because they require administrative action instead of a software change. Administrators must make sure that they not only apply this patch, but also take the administrative action that is described in the following bulletins:

Microsoft Security Bulletin MS00-028

Microsoft Security Bulletin MS00-025

Microsoft Security Bulletin MS99-025 (which discusses the same issue as Microsoft Security Bulletin MS98-004)

Microsoft Security Bulletin MS99-013

RESOLUTION

Windows XP service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows 2000 service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Hotfix information

Internet Information Services 5.1

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. Download informationThe following files are available for download from the Microsoft Download Center:

Windows XP Professional

English (US): DownloadDownload the Q327696 package now

Arabic: DownloadDownload the Q327696 package now

Chinese (Simplified): DownloadDownload the Q327696 package now

Chinese (Traditional): DownloadDownload the Q327696 package now

Czech: DownloadDownload the Q327696 package now

Danish: DownloadDownload the Q327696 package now

Dutch: DownloadDownload the Q327696 package now

Finnish: DownloadDownload the Q327696 package now

French: DownloadDownload the Q327696 package now

German: DownloadDownload the Q327696 package now

Greek: DownloadDownload the Q327696 package now

Hebrew: DownloadDownload the Q327696 package now

Hungarian: DownloadDownload the Q327696 package now

Italian: DownloadDownload the Q327696 package now

Japanese: DownloadDownload the Q327696 package now

Korean: DownloadDownload the Q327696 package now

Norwegian: DownloadDownload the Q327696 package now

Polish: DownloadDownload the Q327696 package now

Portuguese: DownloadDownload the Q327696 package now

Portuguese (Brazil): DownloadDownload the Q327696 package now

Russian: DownloadDownload the Q327696 package now

Spanish: DownloadDownload the Q327696 package now

Swedish: DownloadDownload the Q327696 package now

Turkish: DownloadDownload the Q327696 package now

Windows XP 64-Bit Edition

English (US): DownloadDownload the Q327696 package now

French: DownloadDownload the Q327696 package now

German: DownloadDownload the Q327696 package now

Japanese: DownloadDownload the Q327696 package now

Release Date: October 30, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Installation information If a dialog box appears that states you must restart your computer after you apply this update, you can safely ignore it. This update supports the following Setup switches:
  • /? Display the list of installation switches.
  • /u Unattended mode.
  • /f Force other programs to quit when the computer shuts down.
  • /n Do not back up files for removal.
  • /o Overwrite OEM files without prompting.
  • /z Do not restart when installation is complete.
  • /q Quiet mode (no user interaction).
  • /l List installed hotfixes.
  • /x Extracts the files without running Setup.
For example, the following command line installs the update without any user intervention and then does not force the computer to restart:

q329834_wxp_sp2_x86_enu /q /m /z

File information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Professional

The following files are installed in the %WINDIR%\System32\inetsrv folder: 
   Date         Time   Version        Size     File name
   --------------------------------------------------------
   25-Sep-2002  14:46  5.1.2600.1125  339,456  Asp51.dll
   25-Sep-2002  14:46  5.1.2600.1125  117,248  Ftpsv251.dll
   25-Sep-2002  14:46  6.0.2600.1125  240,640  Httpext.dll
   25-Sep-2002  14:46  5.1.2600.1125   54,272  Httpod51.dll
   25-Sep-2002  14:46  6.0.2600.1125  240,640  Infocomm.dll
   25-Sep-2002  14:46  6.0.2600.1125   65,024  Isatq.dll
   25-Sep-2002  14:46  5.1.2600.1125   40,448  Ssinc51.dll
   25-Sep-2002  14:46  5.1.2600.1125  339,456  W3svc.dll
The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder: 
   Date         Time   Size    File name
   ---------------------------------------
   08-Aug-2002  14:31   2,411  Default.asp
   08-Aug-2002  14:31  19,224  Query.asp
   08-Aug-2002  14:31   6,527  Search.asp
Windows XP 64-Bit Edition

The following files are installed in the %WINDIR%\System32\inetsrv folder: 
   Date         Time   Version        Size       File name
   ----------------------------------------------------------
   25-Sep-2002  14:47  5.1.2600.1125  1,052,672  Asp51.dll
   25-Sep-2002  14:47  5.1.2600.1125    289,792  Ftpsv251.dll
   25-Sep-2002  14:47  6.0.2600.1125    934,400  Httpext.dll
   25-Sep-2002  14:47  5.1.2600.1125    142,848  Httpod51.dll
   25-Sep-2002  14:47  6.0.2600.1125    667,648  Infocomm.dll
   25-Sep-2002  14:47  6.0.2600.1125    186,368  Isatq.dll
   25-Sep-2002  14:47  5.1.2600.1125     96,768  Ssinc51.dll
   25-Sep-2002  14:47  5.1.2600.1125    916,480  W3svc.dll
The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder: 
   Date         Time   Size    File name
   ---------------------------------------
   08-Aug-2002  14:32   2,411  Default.asp
   08-Aug-2002  14:32  19,224  Query.asp
   08-Aug-2002  14:32   6,527  Search.asp


back to the top

Internet Information Services 5.0

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. Download informationThe following file is available for download from the Microsoft Download Center:

All Languages: DownloadDownload the Q329834 package now

Release Date: October 30, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Installation information Because of file dependencies, this update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Customers who use Site Server must be aware that a previously documented issue that involves intermittent authentication errors affects this and a small number of other patches. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

317815 Site Server logon problems occur after you apply certain Windows 2000 hotfixes

You do not have to restart your computer after you apply this update. This update supports the following Setup switches:
  • /? Display the list of installation switches.
  • /u Unattended mode.
  • /f Force other programs to quit when the computer shuts down.
  • /n Do not back up files for removal.
  • /o Overwrite OEM files without prompting.
  • /z Do not restart when installation is complete.
  • /q Quiet mode (no user interaction).
  • /l List installed hotfixes.
  • /x Extracts the files without running Setup.
For example, the following command line installs the update without any user intervention and then does not force the computer to restart:

q327696_w2k_sp4_x86_en /q /m /z

File information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %Windir%\System32\ folder: 
   Date         Time   Version        Size     File name
   --------------------------------------------------------
   17-Sep-2002  15:40  5.0.2195.6048  245,520  Adsiis.dll
   17-Sep-2002  15:40  5.0.2195.5255    8,464  Ftpctrs2.dll
   17-Sep-2002  15:40  5.0.2195.5617  122,128  Idq.dll
   17-Sep-2002  15:40  5.0.2195.5991   13,584  Infoadmn.dll
   17-Sep-2002  15:40  5.0.2195.5255  122,640  Iisrtl.dll
   17-Sep-2002  15:40  5.0.2195.5807   76,560  Msw3prt.dll
   17-Sep-2002  15:40  5.0.2195.5255    7,440  W3ctrs.dll
The following file is installed in the Program files\Microsoft Shared\Web Server Extensions\40\bin folder: 
   Date         Time   Version        Size     File name
   -------------------------------------------------------
   16-Aug-2002  14:47  4.0.2.4701     593,976  Fp4autl.dll
The following files are installed in the %WINDIR%\Help\iisHelp\iis\misc folder: 
   Date         Time   Size    File name
   ---------------------------------------
   22-Mar-2002  18:15   2,413  Default.asp
   22-Mar-2002  18:15  19,178  Query.asp
   22-Mar-2002  18:15   5,571  Search.asp
The following files are installed in the %Windir%\System32\inetsrv folder: 
   Date         Time   Version        Size     File name
   --------------------------------------------------------
   17-Sep-2002  15:40  5.0.2195.6048  333,584  Asp.dll
   17-Sep-2002  15:40  5.0.2195.3649  299,792  Fscfg.dll
   17-Sep-2002  15:40  5.0.2195.5255    6,416  Ftpmib.dll
   17-Sep-2002  15:40  5.0.2195.5675  117,008  Ftpsvc2.dll
   17-Sep-2002  15:40  5.0.2195.6035  246,032  Httpext.dll
   17-Sep-2002  15:40  5.0.2195.5255    9,488  Httpmib.dll
   17-Sep-2002  15:40  5.0.2195.5663   56,592  Httpodbc.dll
   17-Sep-2002  15:40  5.0.2195.5991   78,608  Iislog.dll
   17-Sep-2002  15:40  5.0.2195.5991  246,544  Infocomm.dll
   17-Sep-2002  15:40  5.0.2195.6036   62,736  Isatq.dll
   17-Sep-2002  15:40  5.0.2195.5671   46,352  Ism.dll
   17-Sep-2002  15:40  5.0.2195.5255   26,896  Mdsync.dll
   17-Sep-2002  15:40  5.0.2195.5255   41,232  Ssinc.dll
   17-Sep-2002  15:40  5.0.2195.5995  349,456  W3svc.dll
   17-Sep-2002  15:40  5.0.2195.5995   72,976  Wam.dll


back to the top

Internet Information Server 4.0

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. Before you apply this update, back up your metabase. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

300675 How to create a metabase backup by using Internet Information Server 4.0 in Windows NT

Download informationThe following file is available for download from the Microsoft Download Center:

DownloadDownload the Q327696 package now.

Release Date: October 30, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Installation information This update requires Windows NT 4.0 Service Pack 6a. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

To install this patch without restarting your computer, follow these steps:
  1. Stop all IIS services.
  2. Install the patch with the hotfix with the /z switch.
  3. Restart the IIS services.
This update supports the following Setup switches:
  • /x Extract the files for later installation
  • /y Perform uninstall (only with /m or /q)
  • /f Force apps closed at shutdown
  • /n Do not create uninstall directory
  • /z Do not restart when update completes
  • /q Quiet Mode -- no user interface
  • /m Unattended mode
  • /l List installed hotfixes
File information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %WINDIR%\System32\inetsrv\ folder (unless otherwise noted): 
   Date         Time   Version     Size     File name
   --------------------------------------------------------------------
   28-Aug-2002  20:09  4.2.780.1   214,544  %WINDIR%\System32\Adsiis.dll
   28-Aug-2002  20:10  4.2.780.1   331,200  Asp.dll
   28-Aug-2002  20:09  4.2.780.1    81,888  Ftpsvc2.dll
   28-Aug-2002  20:09  4.2.780.1    55,392  Httpodbc.dll
   13-Jul-2001  21:14  5.0.1782.4  193,296  %WINDIR%\System32\Idq.dll
   28-Aug-2002  20:08  4.2.780.1    63,984  Iislog.dll
   28-Aug-2002  20:08  4.2.780.1   185,792  Infocomm.dll
   28-Aug-2002  20:08  4.2.780.1    29,520  Iscomlog.dll
   28-Aug-2002  20:12  4.2.780.1    54,560  Ism.dll
   28-Aug-2002  20:10  4.2.780.1    31,872  Mdsync.dll
   28-Aug-2002  20:09  4.2.780.1    38,256  Ssinc.dll
   28-Aug-2002  20:09  4.2.780.1    25,360  Sspifilt.dll
   28-Aug-2002  20:09  4.2.780.1   231,104  W3svc.dll
   28-Aug-2002  20:08  4.2.780.1    88,032  Wam.dll
Note Because of file dependencies, this update may contain additional files.

Windows NT Server 4.0, Terminal Server Edition Internet Information Server 4.0 is part of the Windows NT 4.0 Option Pack. The Option Pack is not supported on Windows NT Server 4.0, Terminal Server Edition. Patches for IIS 4.0 have been provided as part of the Windows NT Server 4.0, Terminal Server Edition Security Rollup Package (SRP) only for customers who have installed the Option Pack to protect their computers during the migration to a supported operating system. For additional information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:

317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package

back to the top

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows XP Service Pack 2. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-062.mspx

Modification Type:MajorLast Reviewed:10/21/2005
Keywords:kbWinXPsp2fix kbWin2kSP4fix kbbug kbfix kbQFE KbSECBulletin kbSecurity KbSECVulnerability kbWin2000preSP4Fix kbWinXPpreSP2fix KB327696
©2004 Microsoft Corporation. All rights reserved.