Microsoft Security Bulletin (MS00-023): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-023 announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Information Server. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. If a malicious user requested a file from a web server via a specially-malformed URL, the server could become unresponsive for some period of time. The vulnerability does not cause the server to fail, or cause any data to be lost, and the server eventually would resume normal operation, given enough time.
What causes the vulnerability?
The vulnerability results because of the way that so-called escaped characters are handled in IIS. By providing a specially-malformed URL, in which a very large number of escaped characters are arranged in a particular manner, it would be possible to make the algorithm that replaces the escaped characters operate very inefficiently. In the worst case, 100% of the CPU availability might be put toward this task, delaying the server's response to legitimate service requests.
What are escaped characters?
Escaped characters provide a way for users to specify non-printing or special characters in URLs. If a percent sign is followed by two hexadecimal digits, they are replaced by the equivalent ASCII character. For example, if "%20" is encountered in a URL, it is replaced by a blank space character.
What's the problem with escaped characters?
There's no problem with escaped characters. Likewise, there isn't a problem with how the algorithm that replaces them operates, except in extreme cases. The patch provides an improved algorithm that handles even extreme cases well, thereby eliminating the vulnerability.
What would be the effect of an attack via this vulnerability?
An attack via this vulnerability would slow or stop the server's response, but it would not cause the server to fail, nor would it cause any data loss. As soon as the server completed parsing the URL, processing would return to normal. However, a malicious user could send many such requests, in an effort to tie up the server indefinitely.
Is there any way, short of installing the patch, to prevent these attacks?
Yes. Administrators can configure how long a URL can be. By limiting the length, you can prevent the type of extremely-long URLs at issue here from being accepted. Just set the following registry entry to the maximum-length URL you want to accept:
Hive | HKEY_LOCAL_MACHINE \SYSTEM |
Key | CurrentControlSet\Services\W3SVC\Parameters |
Name | MaxClientRequestBuffer |
Value Type | DWORD |
Are IIS 4.0 and IIS 5.0 servers equally vulnerable to such an attack?
No. By default, IIS 5.0 servers would be less likely to be affected than IIS 4.0 servers, because the default maximum length for a URL is significantly smaller in IIS 5.0 than in IIS 4.0. This would have the effect of limiting the complexity of the URL.
Could this vulnerability be exploited accidentally?
It is extremely unlikely that this vulnerability could be exploited accidentally.
What does the patch do?
The patch provides a new, more efficient algorithm for replacing escaped characters.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
The KB article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
