Bugtraq mailing list archives
Update to Microsoft Security Bulletin MS00-086
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Fri, 10 Nov 2000 18:31:35 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hi All - We have updated Microsoft Security Bulletin MS00-086 (http://www.microsoft.com/technet/security/bulletin/MS00-086.asp), to provide the following additional information: * There is an additional restriction on the vulnerability. As originally reported, the malicious user would need to request a file via a particular type of malformed URL in order to exploit the vulnerability. However, the request would only be processed if (a) it requested a .bat or .cmd file; (b) the file actually existed and (c) the malicious user had execute permissions on the file. This would make the vulnerability more difficult to exploit than originally reported. * IIS 4.0 is affected by the vulnerability, but only if it's used in conjunction with a Windows NT 4.0 service pack prior to Service Pack 6a. Customers running IIS 4.0 on SP6a are not affected by it. Service Pack 6a is available at http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6 .asp The updated bulletin has additional details. Regards, Scott Culp Security Program Manager Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOgyvXI0ZSRQxA/UrAQEiVQgAlYPjRh+kyZ2qYodTBT3SocTof1SjVShB 0VZB9KvIagWCjE4E8J8G04IhTICW4PMZPFuRrRVM47rxjGFQaw0lH1FBRaJ9XV4n b8bvacwu5jBcw7NaTcMcx17AbxznyMDkwPG/jLtzi/Ss8s06xxTfSQU9+lxOmnmA aR1himlKLmgLAU9cksnUogRsHmOjW4ChzF+zjYJPNfV039lDZFbc3gzI1BcMYOR7 FagOR5wV5yDRPRE7dL/YS15x0/S0AKHC5HAe9sdYqOkJGOw+QGvl3xjGt/tpw4Fd PNuRpBzBoAxIeykIWzP7FWp4bFb+IPM11OMaOt93i8jtXrh0Z79dHw== =jYJu -----END PGP SIGNATURE-----
Current thread:
- Update to Microsoft Security Bulletin MS00-086 Microsoft Security Response Center (Nov 13)