Retraction of Patch for "Malformed HTTP Request Header" Security Vulnerability

[secure () MICROSOFT COM (Microsoft Product Security Response Team)]

This morning, we released Microsoft Security Bulletin MS99-029, discussing
the availability of a patch for the "Malformed HTTP Request Header"
vulnerability.  However, we have discovered that the patch package contains
a regression error.  As a result, we have removed the patch from our
download site.

We are very sorry for any inconvenience that this problem may have caused.
We are working to correct the error and will re-release the patch in a few
days.  In meantime, here are the basic details:
*       The error lies in how IIS log files are processed.  If writing a log
record caused the size of the log file to be an exact multiple of 64KB, the
server would hang.
*       An affected server could be put back into service by killing the IIS
process, copying the log file to a safe location, erasing the working copy,
and restarting the IIS service.
*       If you have not installed the patch, we recommend that you do not do
so until the new version is ready.
*       If you have installed the patch, we do not recommend attempting to
back it out.  The conditions under which error occurs are fairly rare, and
we intend to deliver a new version of the patch very quickly.  We recommend
that you be alert to the possibility of the error, but take no other action.

We will post full details as part of the security bulletin
(http://www.microsoft.com/security/bulletins/ms99-029.asp) within the hour,
and will send the information to customers who have subscribed to the
Microsoft Product Notification Service
(http://www.microsoft.com/security/services/bulletin.asp).  When the new
patch is available, we will re-release the bulletin.  Regards,

Secure () microsoft com