On Tuesday, Microsoft issued yet another patch, this time for IIS version 4.0 (Service Pack 5 and higher) and version 5.0, which will protect against other DoS and takeover attacks, as well as correct problems created by other "fixes."
The new patch, available now at Microsoft's TechNet Web site, fixes three flaws in the IIS software. The first flaw allows an attacker to gain the ability to execute programs on the system by sending a certain sequence of packets of data, though it would not allow the attacker to gain administrator-level privileges. The second problem fixed in the update concerns an FTP (file transfer protocol) DoS which could cause the program to run out of memory, thus causing all connections to shut down. Finally, another issue with FTP services could have allowed an attacker to gain access to "Guest" accounts, though this vulnerability seems to be the most minor.
The new patch also fixes new flaws introduced by three Microsoft patches issued in August 2000 and March 2001. The fix offered by the August patch, Microsoft Security Bulletin MS00-060, had created conditions that would allow an attacker to slow down a system. Two fixes issued in March, MS01-014 and MS01-016, had created potential for a denial of service attack.
The first flaw in IIS was discovered by NSfocus Information Technology, a Chinese security firm. The two FTP issues were found by Lukasz Luzar of Developers.of.PL and Aiden ORawe. Kevin Kotas, of eSecurityOnline, a security portal, discovered the bugs created by the earlier patches.
The patch issued Tuesday is the third Microsoft has released for its server products in the first two weeks of May.
Two other patches were issued, fixing vulnerabilities in Windows 2000 Server and IIS 5.0 which could lead to the complete takeover of systems by an attacker or a DoS attack, respectively.