Microsoft Security Bulletin MS01-014 - Critical
Malformed URL can Cause Service Failure in IIS 5.0 and Exchange 2000
Published: March 01, 2001 | Updated: June 23, 2003
Originally posted: March 01, 2001
Updated: June 23, 2003
Who should read this bulletin:
System administrators using either Microsoft® IIS 5.0 or Exchange 2000.
Impact of vulnerability:
Denial of service
System administrators should apply the patch to servers running the affected products.
- Microsoft Internet Information Services 5.0
- Microsoft Exchange 2000
IIS 5.0 contains a flaw affecting the way that an URL is handled if it has a specific construction and its length is within a very narrow range of values. If such an URL were repeatedly sent to an affected system, a confluence of events could cause a memory allocation error that would result in the failure of the IIS service.
Exchange 2000 is affected by the same vulnerability. To support web-based mail clients, it introduces the ability to address items on the store via URLs. This is done in part by using IIS 5.0, and in part via code that is specific to Exchange 2000. Both pieces of code contain the flaw, but the effect of exploiting the vulnerability via either would be the same -- it could be used to cause the IIS service to fail, but could not be used to attack the Exchange service itself. That is, successfully attacking an Exchange server via this vulnerability would disrupt web-based mail clients' use of the server, but not that of MAPI-based mail clients like Outlook.
Because the flaw occurs in two different code modules, one of which installs as part of IIS 5.0 and both of which install as part of Exchange 2000, it is important for Exchange 2000 administrators to install both the IIS and Exchange patches below.
- The vulnerability would not enable the attacker to gain any administrative control over the server, or to alter any data on it.
- The affected services automatically restart in the event of a failure, so an affected system would resume service almost immediately.
- A successful attack against an Exchange server would only disrupt web-based mail clients' use of the server. The server would continue to be available for MAPI-based clients like Outlook.
- The ISAPI involved in this vulnerability authenticates the user prior to servicing the request, so a properly configured Exchange server would be at less risk than an IIS server.
Vulnerability identifier: CAN-2001-0146
Frequently asked questions
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could enable an attacker to temporarily disrupt service on an affected web, or to temporarily disrupt web-based access to an affected mail server. Although the server in either case would automatically resume normal operation, any sessions in progress at the time of the attack would be lost. The vulnerability does not provide any opportunity for the attacker to usurp administrative control over the server, or to add, change or delete data on it.
What causes the vulnerability?
The vulnerability results because Internet Information Services (IIS) 5.0 and Exchange 2000 do not correctly handle an URL that has a specific construction and a length that falls within a very narrow range of values. If either product received such an URL a sufficient number of times, the IIS service would fail.
I thought URLs were only used in conjunction with web browsing. Why is Exchange affected by this vulnerability?
Exchange 2000 supports the use of web-based mail clients and, as a result, it has the ability to accept and process URLs. In fact, all requests to an Exchange server can be made via URLs. Although the code in Exchange that processes URLs is separate from the IIS code, both have the same flaw.
What's wrong with the URL at issue here?
There's nothing wrong with the URL per se. Although it would be extremely unlikely to ever be sent for a legitimate purpose, both IIS and Exchange should nevertheless be able to deal with the URL and handle it appropriately. Instead, the flaws causes a memory allocation error which, if it occurred enough times, would cause an access violation. This would cause the IIS service on the machine to fail.
Don't you mean that it would cause the IIS or Exchange service to fail, depending on the type of server?
No. In both cases, the effect would be to cause the IIS service to fail. The Exchange service can't be made to fail via this vulnerability.
What would be the effect of a successful attack via this vulnerability?
It would depend on whether the attack was against a web server or a mail server. In either case, it would cause the IIS 5.0 service to fail. On a web server, this would prevent the server from providing web services. On a mail server, it would only prevent web-based mail clients from using the system; mail clients like Outlook, which don't operate via the web, wouldn't see any disruption in their mail service.
Would sending the URL one time cause the service to fail?
No. Not only would the attacker need to pick an URL with the correct construction and length, he'd also need to send it repeatedly in order to exploit the vulnerability.
How long would the disruption last?
Under normal conditions, an attack could only cause a momentary disruption in service. The IIS 5.0 service is configured by default to automatically restart itself in the event of a failure, so it would almost immediately resume normal operation.
Could the vulnerability be used to take over a server?
No. It's strictly a denial of service vulnerability. It could not be used to gain any administrative control over a web or mail server, or change any of the data on it. It could only be used to prevent a server from providing service.
Could the vulnerability be exploited accidentally?
No. It's extremely unlikely that an URL with the particular construction and length could be sent accidentally.
Does this vulnerability pose a greater risk to IIS or Exchange servers?
If best practices have been followed, Exchange servers would be at less risk. Due to the way the affected components are designed, only authenticated users would be able to send requests to the Exchange server under normal conditions. This means that Internet users would be unable to attack an affected Exchange server. In contrast, web servers typically accept requests from any user.
Does this vulnerability affect previous versions of IIS or Exchange?
No. Only IIS 5.0 and Exchange 2000 are affected.
What does the patch do?
The patch eliminates the vulnerability by causing the URL to be appropriately handled. In most cases, such an URL would be invalid, and the patch causes IIS 5.0 and Exchange 2000 to treat it that way.
Why do both the Exchange and IIS patches need to be applied to Exchange 2000 servers?
Although IIS 5.0 and Exchange 2000 contain the same coding flaw, it lies in two different components. One of these components is part of IIS 5.0, and the other is part of Exchange 2000. However, IIS is installed as part of Exchange 2000, so an Exchange 2000 server will require both the IIS 5.0 and Exchange 2000 patches.
Download locations for this patch
Microsoft IIS 5.0:
Microsoft Exchange 2000:
Note: As discussed in Technical Discussion, Exchange 2000 administrators should install both the IIS 5.0 and Exchange 2000 patches.
Additional information about this patch
- The IIS 5.0 patch can be installed on systems running Windows 2000 Gold and Service Pack 1.
- The Exchange 2000 patch can be installed on systems running Exchange 2000 Gold.
Inclusion in future service packs:
- The fix for the IIS 5.0 issue will be included in Windows 2000 Service Pack 2.
- The fix for the Exchange 2000 issue will be included in Exchange 2000 Service Pack 1.
Verifying patch installation:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
To verify the individual files in the patch, use the date/time and version information provided in the following registry key:
- To verify that the patch has been installed on the machine, confirm that both of the following registry keys have been created on the machine:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q286818
- HKLM\SOFTWARE\Microsoft\Updates\Exchange Server 2000 Service Pack 1\Q287678.
- To verify the individual files in the patch, use the date/time and version information provided in the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q286818\Filelist
- HKLM\SOFTWARE\Microsoft\Updates\Exchange Server 2000 Service Pack 1\Q287678\Filelist.
Exchange 2000 systems require both the IIS 5.0 and Exchange 2000 patches.
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches are also available from the WindowsUpdate web site
- Microsoft Knowledge Base articles Q286818 and Q287678 discuss this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (March 01, 2001): Bulletin Created.
- V1.1 (June 13, 2001): Bulletin revised to note that IIS 5.0 patch is applicable to Windows 2000 Gold and Service Pack 1 and has been included in Windows 2000 Service Pack 2.
- V1.2 (June 23, 2003): Updated Windows Update download links.
Built at 2014-04-18T13:49:36Z-07:00