RE: MS01-035 Hot Fix for IIS
From: Microsoft Security Response Center (secure@microsoft.com)Date: 08/02/01
- Previous message: Stefan Riegelnik: "Re: Wvdial insecure conf?"
- Maybe in reply to: Joe Granto: "MS01-035 Hot Fix for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Subject: RE: MS01-035 Hot Fix for IIS Date: Wed, 1 Aug 2001 18:04:15 -0700 Message-ID: <C10F7F33B880B248BCC47DB446738847034BB241@red-msg-07.redmond.corp.microsoft.com> From: "Microsoft Security Response Center" <secure@microsoft.com> To: <Joe.Granto@WCom.Com>, <bugtraq@securityfocus.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We wanted to take a minute and clarify Joe's post a bit. An issue
was identified in the patch for MS01-035 last week. We pulled the
patch from the download site immediately and are working on a
corrected patch which we'll release as soon as possible. When the
new patch is available, we'll re-release the bulletin.
In the meantime, it's worth reiterating a couple of important points
from the bulletin. The piece of software that contains the
vulnerability, known as the Visual Interdev RAD (Remote Application
Deployment) Support sub-component, is not installed by default.
Further, if the administrator does select it for installation, a
dialogue box is displayed pointing out that the sub-component is not
appropriate for use on production systems and should only be
installed on development systems.
As the bulletin discusses, Microsoft doesn't recommend applying the
patch to production systems. Instead, we recommend that the
sub-component, if installed, be removed immediately. The patch
should only be applied to development systems, and even then on ones
that require Visual Interdev RAD support. Of course, standard best
practices call for development to be performed on protected machines;
it's never recommended to connect a development machine to the
Internet.
We apologize for any inconvenience, and are working to complete the
updated patch as quickly as possible.
Regards,
Christopher Budd
Security Program Manager
Microsoft Security Response Center
- -----Original Message-----
From: Joe Granto [mailto:Joe.Granto@WCom.Com]
Sent: Wednesday, August 01, 2001 6:24 AM
To: bugtraq@securityfocus.com
Subject: MS01-035 Hot Fix for IIS
Below you will find the official word from Microsoft regarding this
hotfix. I am unsure if this is common knowledge or not; ignore this
email if it is...
Basically, installing MS01-035 causes the IIS MMC to close when you
click
on the server extensions tab under Windows 2000 Advanced Server on
SP2
(with all current hotfixes). Uninstalling MS01-035 fixes the
problem,
but opens up the security hole. This, I claim, is a broken solution.
Of course, you could uninstall the hotfix, make your sever extension
mods, then reinstall the hotfix, and just live with the MMC dying
when
you click on the server extensions tab, but this is also a broken
solution.
Given the publicity that unchecked buffers have been getting with
respect
to IIS, it seems to me that Microsoft should have a better
solution...
- -----Original Message-----
<snip useless info)
Here is a summary of the key points of the case for your records.
Action:
======
Clicking on the Server Extensions Tab within IIS
Result:
======
MMC is closing
Dr Watson. The application MMC generated an application error.
C0000005
at address 77e86662 (interlock increment).
Cause:
======
MS01-035 Hot Fix
Resolution:
=========
Uninstall the Hot fix
Q300477 FPSE: Potential Buffer Overrun Vulnerability w/Visual Studio
RAD http://support.microsoft.com/support/kb/articles/q300/4/77.asp
- ------- End of forwarded message -------
- ----------------------------------------------------------------------
- --
Joe Granto, Rookie Systems Engineer
Wireless Operations and Platform Architecture
MCI or WorldCom, I don't know anymore.
Office: (770)284-5061 VNET: 949-5061
Pager: (888)500-6340 or 5006340@worldcom.com
FAX: (770)284-6824
"There is no estimated time of resolution."
Fear my three minute POP time-out.
There is no MCI, only Zuul.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBO2inDY0ZSRQxA/UrAQGNYwf7Bnv9zsZ/r2jGs2sJBQvEuvYhkQkb+HXT
PbgC0q2tTXpeKcwQ1U82tzNqMbiEJ0rEdPd/55rbY4KbC8OADjSeEMd5azok/YHx
ArXxMpVkIMF1BBtL9RLdX0eYY8NkcyNyo/T6RTSgHWMeurReIgvBHMJH0IAlwlhz
xeOVdsgReELvlOFiR7Iqgsb4uTCW5rqFX6oCz0q+YnzOioS6Y2+LdFDxQlbnskr9
p219k3wNI7u0ouJ56XnD9oxNA7OBIeBFEEf//QSgRRu6atFNwZu6Ql5UrWHIXFiV
7zGP8nZDI4rNlS0t/FFcFP8G4E/Y2KGm9L8i/JDoNWMQ0UpSpejS4g==
=7y5t
-----END PGP SIGNATURE-----
- Previous message: Stefan Riegelnik: "Re: Wvdial insecure conf?"
- Maybe in reply to: Joe Granto: "MS01-035 Hot Fix for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
