Microsoft tweaks IIS patch

By Bill Brenner, Senior News Writer 19 Jul 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The issues affected MS06-034, which addressed a remote code execution flaw in Internet Information Services (IIS). Microsoft said in its bulletin that attackers could exploit the vulnerability in its Web server software by constructing a specially crafted Active Server Pages .asp file, potentially allowing remote code execution if the IIS processes the specially crafted file.

Craig Gehre, release manager for the Microsoft Security Response Center, announced the patch fixes in the center's blog Tuesday. He described two minor problems that had to be addressed:

"One issue was that even though you installed the update you could still be getting it reoffered to you via Windows Update, Microsoft Update, Automatic Update, or WSUS (Windows Server Update Services)," he said. "In some cases we were detecting on a file you may not even have on your system."

He said the second issue was that users running Windows Server 2003 SP1 may not have been re-offered the update after a failed install. "If you installed the update while IIS was using the file ASP.dll, the package may appear to install correctly, but it did not," he said.

Both issues have been addressed, but since the second issue might have involved a silent failure, Gehre recommended all Windows 2003 SP1 users rerun detection of the patch on their systems to make sure they are properly updated.

Tags: Security Patch Management,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Microsoft to address eight security vulnerabilities in Windows, Office Customer gets say during responsible vulnerability disclosure panel Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Web Server Threats and Countermeasures Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability How do passwordless SSH keys represent an enterprise attack vector? Information security book excerpts and reviews Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Web Application and Web 2.0 Threats Microsoft issues advisory on new IE security vulnerability Security must-haves after building a Web application How to secure online collaboration applications like Google Wave How to turn off Google Buzz and avoid privacy issues CISOs take measured steps to reduce social media risks Torrent phishing scheme trips up Twitter users Browser exploit kit probe highlights need for patching, vigilance Attackers continue barrage of SEO attacks Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary