From secnotif@MICROSOFT.COM Wed Apr 19 10:07:27 2000 From: Microsoft Product Security Resent-From: mea culpa To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Resent-To: jericho@attrition.org Date: Mon, 17 Apr 2000 10:33:30 -0700 Subject: Microsoft Security Bulletin (MS00-025) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-025) - -------------------------------------- Procedure Available to Eliminate "Link View Server-Side Component" Vulnerability Originally Posted: April 14, 2000 Updated: April 17, 2000 Summary ======= On April 14, 2000, Microsoft issued the original version of this bulletin, to discuss a security vulnerability affecting several web server products. Shortly after publishing the bulletin, we learned of a new, separate vulnerability that increased the threat to users of these products. We updated the bulletin later on April 14, 2000, to advise customers of the new vulnerability, and noted that we would provide additional details when known. On April 17, 2000, we updated the bulletin again to provide those details. A procedure is available to eliminate a security vulnerability that could allow a malicious user to cause a web server to crash, or potentially run arbitrary code on the server, if certain permissions have been changed from their default settings to inappropriate ones. Although this bulletin has been updated several times as the investigation of this issue has progressed, the remediation steps have always remained the same - customers running affected web servers should delete the affected file, Dvwssr.dll. Customers who have done this at any point in the past do not need to take any further action. Frequently asked questions regarding this vulnerability and the procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.asp Issue ===== Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash, or could allow arbitrary code to run on the server in a System context. By default, the affected component, Dvwssr.dll, resides in a folder whose permissions only allow web authors to execute it. Under these conditions, only a person with web author privileges could exploit the vulnerability - but a web author already has the ability to upload and execute code of his choice, so this case represents little additional threat. However, if the permissions on the folder were set inappropriately, or the .dll were copied to a folder with lower permissions, it could be possible for other users to execute the component and exploit the vulnerability. Affected Software Versions ========================== The affected component is part of Visual Interdev 1.0. However, it is a server-side component, and is included in the following products: - Microsoft(r) Windows NT(r) 4.0 Option Pack, which is the primary distribution mechanism for Internet Information Server 4.0 - Personal Web Server 4.0, which ships as part of Windows(r) 95 and 98 - Front Page 98 Server Extensions, which ships as part of Front Page 98. NOTE: 1. Windows 2000 is not affected by this vulnerability. Upgrading from an affected Windows NT 4.0 to Windows 2000 removes the vulnerability. 2. Installing Office 2000 Server Extensions on an affected server removes this vulnerability. 3. Installing FrontPage 2000 Server Extensions on an affected server removes this vulnerability. Remediation =========== To eliminate this vulnerability, customers who are hosting web sites using any of the affected products should delete all copies of the file Dvwssr.dll from their servers. The FAQ provides step-by-step instructions for doing this. The only functionality lost by deleting the file is the ability to generate link views of .asp pages using Visual Interdev 1.0. More Information ================ Please see the following references for more information related to this issue. - Frequently Asked Questions: Microsoft Security Bulletin MS00-025, http://www.microsoft.com/technet/security/bulletin/fq00-025.asp. - Microsoft Knowledge Base article Q259799 discusses this issue and will be available soon. - Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp. Obtaining Support on this Issue =============================== Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions ========= - April 14, 2000: Bulletin Created. - April 14, 2000: Bulletin updated to provide preliminary results of investigation of buffer overrun vulnerability. - April 17, 2000: Bulletin updated to provide final results of investigation. - ---------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Last updated April 17, 2000 (c) 2000 Microsoft Corporation. All rights reserved. Terms of use. -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQEVAwUBOPtK540ZSRQxA/UrAQFLNAf/f+J9Gu2bLni4x+CD2TxY4LZXsCLGkQgq hXiEcNVlqccSClIRg84zlYL2KDGkDCwQWtE8JR93V0MkirOdpY9rCW39DWCzJxo0 2wKI9NaPJl8cgbMiFWpRErw8ojHoX+fgtWqBGbGnZPxShCmQOVh/xBLvjCz1KakZ GrzNecfyK58aT3Ao2w8uxAfLp8z0Kzuaj+YYmkLq36/TPUkBmBJHsDOBP++3WoDA 1Dxe9/zahwMd7wwtwdQGtFUD9iQYVB3zd8QnYZCiwUOJR6fLc2nsj4AtylFynqRD Mg4lsvMjDzHZj6p5JMbxpzebymWTjPgTd5hr66ZBdtb8CdwisV/oig== =6B1q -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.