Update to Microsoft Security Bulletin MS00-086

[Microsoft Security Response Center <secure () MICROSOFT COM>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi All -

We have updated Microsoft Security Bulletin MS00-086
(http://www.microsoft.com/technet/security/bulletin/MS00-086.asp), to
provide the following additional information:
*       There is an additional restriction on the vulnerability.  As
originally reported, the malicious user would need to request a file
via a particular type of malformed URL in order to exploit the
vulnerability.  However, the request would only be processed if (a)
it requested a .bat or .cmd file; (b) the file actually existed and
(c) the malicious user had execute permissions on the file.  This
would make the vulnerability more difficult to exploit than
originally reported.
*       IIS 4.0 is affected by the vulnerability, but only if it's used in
conjunction with a Windows NT 4.0 service pack prior to Service Pack
6a.  Customers running IIS 4.0 on SP6a are not affected by it.
Service Pack 6a is available at
http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6
.asp

The updated bulletin has additional details.  Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOgyvXI0ZSRQxA/UrAQEiVQgAlYPjRh+kyZ2qYodTBT3SocTof1SjVShB
0VZB9KvIagWCjE4E8J8G04IhTICW4PMZPFuRrRVM47rxjGFQaw0lH1FBRaJ9XV4n
b8bvacwu5jBcw7NaTcMcx17AbxznyMDkwPG/jLtzi/Ss8s06xxTfSQU9+lxOmnmA
aR1himlKLmgLAU9cksnUogRsHmOjW4ChzF+zjYJPNfV039lDZFbc3gzI1BcMYOR7
FagOR5wV5yDRPRE7dL/YS15x0/S0AKHC5HAe9sdYqOkJGOw+QGvl3xjGt/tpw4Fd
PNuRpBzBoAxIeykIWzP7FWp4bFb+IPM11OMaOt93i8jtXrh0Z79dHw==
=jYJu
-----END PGP SIGNATURE-----