Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-022)
What's this bulletin about?
Microsoft Security Bulletin MS99-022 announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Information Server 3.0 and 4.0. The vulnerability could allow a web site visitor to view the source code for certain types of files on the web server, but only if the server is configured to use Chinese, Korean, or Japanese as the default language. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
Why was the IIS 4.0 patch re-released?
We determined that the original patch for IIS 4.0 contained a regression error. We have removed the regression error from the patch and thoroughly tested it, and are confident in the patch that we are re-releasing today.
I installed the original version of the patch. What should I do?
| • | If you applied the IIS 3.0 version of the patch, you do not need to do anything. Only the IIS 4.0 version contained the regression error. |
| • | If you applied the IIS 4.0 version of the patch, and subsequently applied any IIS 4.0 patch or Windows NT Service Pack dated August 16, 1999, or later, you do not need to do anything. The fix for the regression error was included in these later products. |
| • | If you applied the IIS 4.0 version of the patch and did not subsequently apply another patch or Windows NT Service Pack, you need to download and install the new version of the patch. You do not need to remove the old patch in any way. |
Does the regression error change Microsoft's assessment of the vulnerability?
No. The regression error was completely unrelated to the vulnerability. All of the information regarding the vulnerability is unchanged from our original assessment.
What's the scope of the vulnerability?
The vulnerability allows a web site visitor to view the source code for certain types of files on the server. It does not bypass normal file permissions - so the visitor can still only access the files that the web site operator allows them to access. It also does not allow the web site visitor to change any of the information in a file that they view. The vulnerability does not provide any opportunity for a web site visitor to gain any privileges on the server.
What do you mean by "view the source code"? I thought I always viewed the source code for files I request from the server.
For some types of files, you do. For example, when you point your browser to an .HTM file, the contents of the file are simply sent from the server to your browser, which then interprets the commands in the file in order to display the page.
However, some file types provide advanced functionality via server-side processing. The best example is an .ASP file. .ASP files are essentially programs that are used to generate .HTM files dynamically, and whenever you request an .ASP file from a server, the "program" is run on the server and the resulting .HTM file is sent to your browser. Because such files are never intended to leave the server, they sometimes contain sensitive information - however, this is not a recommended practice. Using this vulnerability, a web site visitor could cause the server-side processing to be bypassed, and the file's source code would be delivered and displayed as text.
Why is this vulnerability titled the "Double Byte Code Page" vulnerability?
The critical factor that determines which web servers are affected is the default language that the machine uses. The default language in Windows® 95, 98 and Windows NT® is selected by picking a "code page" that associates every displayable character for that language with an underlying numeric value. In most languages, each character is represented by a single byte. However, Chinese, Japanese and Korean require two bytes to represent each character, hence they use double byte code pages. The underlying issue in this vulnerability lies in the way that certain invalid URLs are processed when a double byte code page is in use.
So this vulnerability only affects customers who bought a Chinese, Korean or Japanese version of IIS 3.0 or 4.0?
No, the critical factor is the default language for the server. Any customer running IIS 3.0 or 4.0 on a server whose default language uses a double byte code page (i.e., Chinese, Korean or Japanese) is affected. So, for example, a customer would be affected who bought an English version of IIS and Windows NT, but later installed the appropriate language pack and changed the server's default language to Chinese. On the other hand, a customer who bought the Chinese version of Windows NT but reset the default language to English would not be affected.
Can IIS 3.0 and 4.0 only be run on Windows NT?
Although IIS is most commonly run on Windows NT, it also can be run on Windows 95 or 98. The same issue exists when IIS is run atop Windows 95 or 98.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletins.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletin. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for my network?
The Microsoft Security web site is the best to place to get information about Microsoft security. A particularly helpful reference regarding best practices for servers is Securing Windows NT Server Installation, which details recommended settings for Windows NT servers. For information on securing an IIS server, see the IIS Security Checklist.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
