Security Bulletin
Microsoft Security Bulletin MS11-004 - Important
Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)
Published: February 08, 2011 | Updated: March 08, 2011
Version: 2.0
General Information
Executive Summary
This security update resolves a publicly disclosed vulnerability in Microsoft Internet Information Services (IIS) FTP Service. The vulnerability could allow remote code execution if an FTP server receives a specially crafted FTP command. FTP Service is not installed by default on IIS.
This security update is rated Important for Microsoft FTP Service 7.0 for IIS 7.0 and Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported editions of Windows Vista and Windows Server 2008, and for Microsoft FTP Service 7.5 for Internet Information Services 7.5 on all supported editions of Windows 7 and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by modifying the way that the IIS FTP Service handles specially crafted FTP commands. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. Microsoft Knowledge Base Article 2489256 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
Operating System | Component | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by this Update |
---|---|---|---|---|
Windows Vista Service Pack 1 and Windows Vista Service Pack 2 | Microsoft FTP Service 7.0 for IIS 7.0[1] Microsoft FTP Service 7.5 for IIS 7.0[1] |
Remote Code Execution | Important | None |
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Microsoft FTP Service 7.0 for IIS 7.0[1] Microsoft FTP Service 7.5 for IIS 7.0[1] |
Remote Code Execution | Important | None |
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Microsoft FTP Service 7.0 for IIS 7.0[1]* Microsoft FTP Service 7.5 for IIS 7.0[1]* |
Remote Code Execution | Important | None |
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 | Microsoft FTP Service 7.0 for IIS 7.0[1]* Microsoft FTP Service 7.5 for IIS 7.0[1]* |
Remote Code Execution | Important | None |
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 | Microsoft FTP Service 7.5 for IIS 7.5 | Remote Code Execution | Important | None |
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 | Microsoft FTP Service 7.5 for IIS 7.5 | Remote Code Execution | Important | None |
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft FTP Service 7.5 for IIS 7.5* | Remote Code Execution | Important | None |
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Microsoft FTP Service 7.5 for IIS 7.5 | Remote Code Execution | Important | None |
Operating System | Component |
---|---|
Windows XP Service Pack 3 | Microsoft FTP Service 5.1 for IIS 5.1 |
Windows XP Professional x64 Edition Service Pack 2 | Microsoft FTP Service 5.1 for IIS 6.0 |
Windows Server 2003 Service Pack 2 | Microsoft FTP Service 6.0 for IIS 6.0 |
Windows Server 2003 x64 Edition Service Pack 2 | Microsoft FTP Service 6.0 for IIS 6.0 |
Windows Server 2003 with SP2 for Itanium-based Systems | Microsoft FTP Service 6.0 for IIS 6.0 |
Windows Vista Service Pack 1 and Windows Vista Service Pack 2 | Microsoft FTP Service 6.0 for IIS 7.0[1] Microsoft FTP Service 6.0 for IIS 7.5[1] |
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Microsoft FTP Service 6.0 for IIS 7.0[1] Microsoft FTP Service 6.0 for IIS 7.5[1] |
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 | Microsoft FTP Service 6.0 for IIS 7.0[1] Microsoft FTP Service 6.0 for IIS 7.5[1] |
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 | Microsoft FTP Service 6.0 for IIS 7.0[1] Microsoft FTP Service 6.0 for IIS 7.5[1] |
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Microsoft FTP Service 6.0 for IIS 7.0[1] Microsoft FTP Service 6.0 for IIS 7.5[1] |
[1]The default FTP Service for this operating system
Frequently Asked Questions (FAQ) Related to This Security Update
Why was this bulletin revised on March 8, 2011?
Microsoft clarified the Affected Software to include Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1.
Customers of the original release version of Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for Itanium-based Systems, who have already applied this security update do not need to take any action. Customers who have updated these operating systems with the corresponding Service Pack 1 need to apply this security update.
I have IIS installed but have not enabled FTP. Do I need to apply this update?
This vulnerability only affects systems on which the listed versions of FTP Service is enabled. If an affected version of FTP Service is installed but not enabled, the update will still be offered through automatic updating.
How can I verify which version of the FTP Service is installed on my system?
On Windows Vista and Windows Server 2008, if ftpsvc.dll exists in the %SystemRoot%\system32\inetsrv directory, then the system contains a version of FTP Service affected by this vulnerability (Microsoft FTP Service 7.0 or Microsoft FTP Service 7.5). If the system contains ftpsvc2.dll in this directory, that indicates the presence of Microsoft FTP Service 6.0 on the system, which is not affected by this vulnerability.
Is my system affected by this vulnerability if the FTP Service is set up to disable anonymous authentication?
Yes. This vulnerability occurs before authentication, so a malicious client can compromise a vulnerable system even if it is configured to not allow anonymous authentication.
Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary. For more information, see Microsoft Exploitability Index.
Affected Software | IIS FTP Service Heap Buffer Overrun Vulnerability - CVE-2010-3972 | Aggregate Severity Rating |
---|---|---|
Microsoft FTP Service 7.0 for IIS 7.0 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 | Important Remote Code Execution |
Important |
Microsoft FTP Service 7.5 for IIS 7.0 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 | Important Remote Code Execution |
Important |
Microsoft FTP Service 7.0 for IIS 7.0 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Important Remote Code Execution |
Important |
Microsoft FTP Service 7.5 for IIS 7.0 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Important Remote Code Execution |
Important |
Microsoft FTP Service 7.0 for IIS 7.0 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* | Important Remote Code Execution |
Important |
Microsoft FTP Service 7.5 for IIS 7.0 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* | Important Remote Code Execution |
Important |
Microsoft FTP Service 7.0 for IIS 7.0 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* | Important Remote Code Execution |
Important |
Microsoft FTP Service 7.5 for IIS 7.0 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* | Important Remote Code Execution |
Important |
Internet Information Services 7.5 on Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 | Important Remote Code Execution |
Important |
Internet Information Services 7.5 on Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 | Important Remote Code Execution |
Important |
Internet Information Services 7.5 on Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1* | Important Remote Code Execution |
Important |
Internet Information Services 7.5 on Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Important Remote Code Execution |
Important |
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Deployment | |
Installing without user intervention | For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported 32-bit editions of Windows Vista: ftp70_x86_kb2489256.msp /q |
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported 32-bit editions of Windows Vista: ftp75_x86_kb2489256.msp /q |
|
For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported x64-based editions of Windows Vista: ftp70_x64_kb2489256.msp /q |
|
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported x64-based editions of Windows Vista: ftp75_x64_kb2489256.msp /q |
|
Installing without restarting | For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported 32-bit editions of Windows Vista: ftp70_x86_kb2489256.msp /norestart |
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported 32-bit editions of Windows Vista: ftp75_x86_kb2489256.msp /norestart |
|
For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported x64-based editions of Windows Vista: ftp70_x64_kb2489256.msp /norestart |
|
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported x64-based editions of Windows Vista: ftp75_x64_kb2489256.msp /norestart |
|
Further information | See the subsection, Detection and Deployment Tools and Guidance |
Restart Requirement | |
Restart required? | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
HotPatching | Not applicable. |
Removal Information | WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates. |
File Information | See Microsoft Knowledge Base Article 2489256 |
Registry Key Verification | Note A registry key does not exist to validate the presence of this update. |
Switch | Description |
---|---|
**/help** | Displays usage dialog box. |
Setup Modes | |
**/q** | Sets user interface level. |
Install Options | |
**/extract \[directory\]** | Extract the package to the specified directory. |
Restart Options | |
**/norestart** | Does not restart when installation has completed. |
**/forcerestart** | Always restarts the computer after installation. |
**/promptrestart** | Prompts the user to restart if necessary. |
Logging Options | |
**/l\[i|w|e|a|r|u|c|m|o|p|v|x| + |!|\*\] <LogFile>** | Sets logging options. |
i – status messages | |
w – non-fatal warnings | |
e – all error messages | |
a – startup of actions | |
r – action-specific records | |
u – user request | |
c – initial UI parameters | |
m – out-of-memory or fatal exit information | |
o – out-of-disk-space messages | |
p – terminal properties | |
v – verbose output | |
x – extra debugging information | |
+ – append to existing log file | |
! – flush each line to the log | |
\* – log all information, except for v and x options | |
**/log <LogFile>** | Equivalent of /l\* <LogFile> |
Verifying That the Update Has Been Applied
Microsoft Baseline Security Analyzer
To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.
File Version Verification
Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.
- Click Start and then enter an update file name in the Start Search box.
- When the file appears under Programs, right-click the file name and click Properties.
- On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed. - You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation. - Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.
Windows Server 2008 (all editions)
Reference Table
The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Deployment | |
Installing without user intervention | For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported 32-bit editions of Windows Server 2008: ftp70_x86_kb2489256.msp /q |
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported 32-bit editions of Windows Server 2008: ftp75_x86_kb2489256.msp /q |
|
For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported x64-based editions of Windows Server 2008: ftp70_x64_kb2489256.msp /q |
|
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported x64-based editions of Windows Server 2008: ftp75_x64_kb2489256.msp /q |
|
Installing without restarting | For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported 32-bit editions of Windows Server 2008: ftp70_x86_kb2489256.msp /norestart |
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported 32-bit editions of Windows Server 2008: ftp75_x86_kb2489256.msp /norestart |
|
For Microsoft FTP Service 7.0 for IIS 7.0 when installed on all supported x64-based editions of Windows Server 2008: ftp70_x64_kb2489256.msp /norestart |
|
For Microsoft FTP Service 7.5 for IIS 7.0 when installed on all supported x64-based editions of Windows Server 2008: ftp75_x64_kb2489256.msp /norestart |
|
Further information | See the subsection, Detection and Deployment Tools and Guidance |
Restart Requirement | |
Restart required? | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
HotPatching | Not applicable. |
Removal Information | WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates. |
File Information | See Microsoft Knowledge Base Article 2489256 |
Registry Key Verification | Note A registry key does not exist to validate the presence of this update. |
Switch | Description |
---|---|
**/help** | Displays usage dialog box. |
Setup Modes | |
**/q** | Sets user interface level. |
Install Options | |
**/extract \[directory\]** | Extract the package to the specified directory. |
Restart Options | |
**/norestart** | Does not restart when installation has completed. |
**/forcerestart** | Always restarts the computer after installation. |
**/promptrestart** | Prompts the user to restart if necessary. |
Logging Options | |
**/l\[i|w|e|a|r|u|c|m|o|p|v|x| + |!|\*\] <LogFile>** | Sets logging options. |
i – status messages | |
w – non-fatal warnings | |
e – all error messages | |
a – startup of actions | |
r – action-specific records | |
u – user request | |
c – initial UI parameters | |
m – out-of-memory or fatal exit information | |
o – out-of-disk-space messages | |
p – terminal properties | |
v – verbose output | |
x – extra debugging information | |
+ – append to existing log file | |
! – flush each line to the log | |
\* – log all information, except for v and x options | |
**/log <LogFile>** | Equivalent of /l\* <LogFile> |
Verifying That the Update Has Been Applied
Microsoft Baseline Security Analyzer
To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.
File Version Verification
Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.
- Click Start and then enter an update file name in the Start Search box.
- When the file appears under Programs, right-click the file name and click Properties.
- On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed. - You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation. - Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.
Windows 7 (all editions)
Reference Table
The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Deployment | |
Installing without user intervention | For all supported 32-bit editions of Windows 7: Windows6.1-KB2489256-x86.msu /quiet |
For all supported x64-based editions of Windows 7: Windows6.1-KB2489256-x64.msu /quiet |
|
Installing without restarting | For all supported 32-bit editions of Windows 7: Windows6.1-KB2489256-x86.msu /quiet /norestart |
For all supported x64-based editions of Windows 7: Windows6.1-KB2489256-x64.msu /quiet /norestart |
|
Further information | See the subsection, Detection and Deployment Tools and Guidance |
Restart Requirement | |
Restart required? | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
HotPatching | Not applicable. |
Removal Information | To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates. |
File Information | See Microsoft Knowledge Base Article 2489256 |
Registry Key Verification | Note A registry key does not exist to validate the presence of this update. |
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Deployment | |
Installing without user intervention | For all supported x64-based editions of Windows Server 2008 R2: Windows6.1-KB2489256-x64.msu /quiet |
For all supported Itanium-based editions of Windows Server 2008 R2: Windows6.1-KB2489256-ia64.msu /quiet |
|
Installing without restarting | For all supported x64-based editions of Windows Server 2008 R2: Windows6.1-KB2489256-x64.msu /quiet /norestart |
For all supported Itanium-based editions of Windows Server 2008 R2: Windows6.1-KB2489256-ia64.msu /quiet /norestart |
|
Further information | See the subsection, Detection and Deployment Tools and Guidance |
Restart Requirement | |
Restart required? | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
HotPatching | Not applicable. |
Removal Information | To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates. |
File Information | See Microsoft Knowledge Base Article 2489256 |
Registry Key Verification | Note A registry key does not exist to validate the presence of this update. |