Bugtraq mailing list archives
Microsoft Security Bulletin (MS00-025)
From: secnotif () MICROSOFT COM (Microsoft Product Security)
Date: Mon, 17 Apr 2000 10:33:30 -0700
The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-025) - -------------------------------------- Procedure Available to Eliminate "Link View Server-Side Component" Vulnerability Originally Posted: April 14, 2000 Updated: April 17, 2000 Summary ======= On April 14, 2000, Microsoft issued the original version of this bulletin, to discuss a security vulnerability affecting several web server products. Shortly after publishing the bulletin, we learned of a new, separate vulnerability that increased the threat to users of these products. We updated the bulletin later on April 14, 2000, to advise customers of the new vulnerability, and noted that we would provide additional details when known. On April 17, 2000, we updated the bulletin again to provide those details. A procedure is available to eliminate a security vulnerability that could allow a malicious user to cause a web server to crash, or potentially run arbitrary code on the server, if certain permissions have been changed from their default settings to inappropriate ones. Although this bulletin has been updated several times as the investigation of this issue has progressed, the remediation steps have always remained the same - customers running affected web servers should delete the affected file, Dvwssr.dll. Customers who have done this at any point in the past do not need to take any further action. Frequently asked questions regarding this vulnerability and the procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.asp Issue ===== Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash, or could allow arbitrary code to run on the server in a System context. By default, the affected component, Dvwssr.dll, resides in a folder whose permissions only allow web authors to execute it. Under these conditions, only a person with web author privileges could exploit the vulnerability - but a web author already has the ability to upload and execute code of his choice, so this case represents little additional threat. However, if the permissions on the folder were set inappropriately, or the .dll were copied to a folder with lower permissions, it could be possible for other users to execute the component and exploit the vulnerability. Affected Software Versions ========================== The affected component is part of Visual Interdev 1.0. However, it is a server-side component, and is included in the following products: - Microsoft(r) Windows NT(r) 4.0 Option Pack, which is the primary distribution mechanism for Internet Information Server 4.0 - Personal Web Server 4.0, which ships as part of Windows(r) 95 and 98 - Front Page 98 Server Extensions, which ships as part of Front Page 98. NOTE: 1. Windows 2000 is not affected by this vulnerability. Upgrading from an affected Windows NT 4.0 to Windows 2000 removes the vulnerability. 2. Installing Office 2000 Server Extensions on an affected server removes this vulnerability. 3. Installing FrontPage 2000 Server Extensions on an affected server removes this vulnerability. Remediation =========== To eliminate this vulnerability, customers who are hosting web sites using any of the affected products should delete all copies of the file Dvwssr.dll from their servers. The FAQ provides step-by-step instructions for doing this. The only functionality lost by deleting the file is the ability to generate link views of .asp pages using Visual Interdev 1.0. More Information ================ Please see the following references for more information related to this issue. - Frequently Asked Questions: Microsoft Security Bulletin MS00-025, http://www.microsoft.com/technet/security/bulletin/fq00-025.asp. - Microsoft Knowledge Base article Q259799 discusses this issue and will be available soon. - Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp. Obtaining Support on this Issue =============================== Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions ========= - April 14, 2000: Bulletin Created. - April 14, 2000: Bulletin updated to provide preliminary results of investigation of buffer overrun vulnerability. - April 17, 2000: Bulletin updated to provide final results of investigation. - ---------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Last updated April 17, 2000 (c) 2000 Microsoft Corporation. All rights reserved. Terms of use. -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQEVAwUBOPtK540ZSRQxA/UrAQFLNAf/f+J9Gu2bLni4x+CD2TxY4LZXsCLGkQgq hXiEcNVlqccSClIRg84zlYL2KDGkDCwQWtE8JR93V0MkirOdpY9rCW39DWCzJxo0 2wKI9NaPJl8cgbMiFWpRErw8ojHoX+fgtWqBGbGnZPxShCmQOVh/xBLvjCz1KakZ GrzNecfyK58aT3Ao2w8uxAfLp8z0Kzuaj+YYmkLq36/TPUkBmBJHsDOBP++3WoDA 1Dxe9/zahwMd7wwtwdQGtFUD9iQYVB3zd8QnYZCiwUOJR6fLc2nsj4AtylFynqRD Mg4lsvMjDzHZj6p5JMbxpzebymWTjPgTd5hr66ZBdtb8CdwisV/oig== =6B1q -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Current thread:
- nmh-1.0.4 released, (continued)
- nmh-1.0.4 released Dan Harkless (Apr 14)
- xfs Michal Zalewski (Apr 16)
- StarOffice 5.1 Michal Zalewski (Apr 16)
- XFree86 server overflow Michal Zalewski (Apr 16)
- XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
- Reappearance of an old IE security bug Ben Mesander (Apr 16)
- Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
- Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
- Re: XFree86 server overflow Olaf Kirch (Apr 17)
- Re: XFree86 server overflow Valentin Pavlov (Apr 17)
- Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
- Re: XFree86 server overflow Paweł Sakowski (Apr 17)
- RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)
- More vulnerabilities in FP Narrow (Apr 18)