Re: IIS and Frontpage Extensions Vulnerability.

From: M. Burnett (mburnett@xato.net)
Date: 08/29/02 

From: "M. Burnett" <mburnett@xato.net>
To: <focus-ms@securityfocus.com>
Date: Wed, 28 Aug 2002 19:48:05 -0600

None of the issues with htimage.exe or imagemap.exe (those you
mentioned and a few others) were ever fixed and the only solution is
to remove the files. Just to be sure of this, I just ran tests on a
recent version of the file and they are indeed vulnerable.

So yes, your admin is right. Delete the files.

The strange thing is that although these files are vulnerable, they
were included in all subsequent service packs plus the Post-SP2
security roll-up. However, the version included in SP3 finally seems
to have been neutered and does not appear to function at all.
Microsoft's position on this is:

"The Microsoft FrontPage Server Extensions-related files,
Imagemap.exe and Htimage.exe, are no longer included with Windows.
These files are largely obsolete and contain reported security
vulnerabilities." (Q324943)

Presumably, if you install SP3 and remove the files, they will be
replaced with a safe (although non-functioning) version. To manually
delete the files, remove them first from the system32\dllcache
directory then delete them.

Oh and for those of you who don't already have this item on your IIS
security checklist, you should probably add it.

Mark Burnett
www.iissecurity.net

------------------------------------------------------
Try Pafwert, a free random password generator. Creates strong
passwords that are easy to remember:
http://www.iissecurity.net/pafwert

>On Tue, 27 Aug 2002 16:16:27 -0700, Kim, Cameron wrote:
>Guys,
>
>I have a question regarding IIS 5.0 running on win2k server sp2.
>(frontpage extensions not installed)
>
>My Web Admin is a bit concerned because he has been trying to delete
>htimage.exe and imagemap.exe but stubborn windows file protection
>continues to replace it. He feels that the following vulnerabilities
>(http://online.securityfocus.com/bid/964
><http://online.securityfocus.com/bid/964> ) and
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se
>curity/ bulletin/fq00-028.asp
><http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s
>ecurity /bulletin/fq00-028.asp> are still present, even though they
>are not directly mentioned in the security bulletin.(given that the
>bulletin is over 2 years old)
>
>Is his concern warranted? Or has one of the service packs fixed this
>issue?
>I am looking for some written proof pointing to the fact that this
>vulnerability doesn't exists anymore. Thanks.
>
>
>
>Cameron Kim Mitsubishi Digital Electronics America
>

Relevant Pages