In May of 2003, Microsoft released a cumulative hotfix collection for IIS 4.0, 5.0 and 5.1. You may recall that these versions ship with Windows NT Server 4.0, Windows 2000 Server/Professional and Windows XP Professional. Some have labeled this hotfix collection a security rollup, but Microsoft did not assign it such a name.
This cumulative patch is detailed in
This patch includes all security related hotfixes released individually since service pack 6a for Windows NT 4.0 for IIS 4.0, since SP2 for Windows 2000 for IIS 5.0 and includes all hotfixes for Windows XP's IIS 5.1. In addition to all of these previously released hotfixes, this patch also includes several new and previously unreleased security patches. These new patches address various issues including a cross-site scripting vulnerability, a buffer overrun and several denial-of-service vulnerabilities.
None of these new security patches are identified as critical issues. However, it is my opinion that you should patch all known security holes no matter what the current risk level is. Any security hole is still a security hole. Just because the threat or risk is low right now, doesn't mean that your system will be protected by probability. Remember, it only takes a single instance of an attack to infiltrate or decommission a system.
Depending on your configuration, you may not explicitly need this rollup. For example, you may not need it if you are running IIS 5.0 and are not using ASP, you've used IIS Lockdown to disable Ssinc.ddl and WebDAV, and users cannot upload files. In such a case, you only need to ensure that you've installed all previously existing hotfixes and you can skip this rollup for now. However, be sure to double-check your environment against the mitigating factors detailed in the security bulletin before deciding to forego this cumulative patch.
About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
For more information, visit these resources:
- Solution Center: Web server security
- Strom's Security Tool Shed: Secure IIS/Enterprise Web Protector safeguard your Web server
- News & Analysis: New critical IIS buffer flaw exploited
This was first published in July 2003