Getting IIS patched fast!

In May of 2003, Microsoft released a cumulative hotfix collection for IIS 4.0, 5.0 and 5.1. You may recall that these versions ship with Windows NT Server 4.0, Windows 2000 Server/Professional and Windows XP Professional. Some have labeled this hotfix collection a security rollup, but Microsoft did not assign it such a name.

This cumulative patch is detailed in

    Requires Free Membership to View

Microsoft Security Bulletin MS03-018.

This patch includes all security related hotfixes released individually since service pack 6a for Windows NT 4.0 for IIS 4.0, since SP2 for Windows 2000 for IIS 5.0 and includes all hotfixes for Windows XP's IIS 5.1. In addition to all of these previously released hotfixes, this patch also includes several new and previously unreleased security patches. These new patches address various issues including a cross-site scripting vulnerability, a buffer overrun and several denial-of-service vulnerabilities.

None of these new security patches are identified as critical issues. However, it is my opinion that you should patch all known security holes no matter what the current risk level is. Any security hole is still a security hole. Just because the threat or risk is low right now, doesn't mean that your system will be protected by probability. Remember, it only takes a single instance of an attack to infiltrate or decommission a system.

Depending on your configuration, you may not explicitly need this rollup. For example, you may not need it if you are running IIS 5.0 and are not using ASP, you've used IIS Lockdown to disable Ssinc.ddl and WebDAV, and users cannot upload files. In such a case, you only need to ensure that you've installed all previously existing hotfixes and you can skip this rollup for now. However, be sure to double-check your environment against the mitigating factors detailed in the security bulletin before deciding to forego this cumulative patch.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

For more information, visit these resources:

This was first published in July 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.