The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-010)
--------------------------------------
Patch Available for File Access Vulnerability in Personal Web Server
Originally Posted: March 26, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in certain
versions of Personal Web Server running under Windows (c) 95 or Windows 98,
which could allow files on the server to be read by an unauthorized user
who knew the name of the file and requested it via a specific non-standard
URL. Users running web server products on Microsoft Windows NT (c) are not
affected.
A fully supported patch is available to fix this vulnerability, and
Microsoft recommends that customers download and install it if appropriate.
Issue
=====
This vulnerability allows a file request that uses a non-standard URL to
bypass the server's normal file access controls. The file must be
specifically requested by name, so the requester would need to know the
name of the file or correctly guess it. The vulnerability would allow files
on the server to be read, but not changed or deleted, and would not allow
new files to be written to the server. The vulnerability does not usurp any
administrative privileges on the server.
Although some of the affected products are provided as part of Windows 95
and 98, none are turned on by default. Further, none of the affected
products exhibit the vulnerability when run on Windows NT. While there have
not been any reports of customers being adversely affected by these
problems, Microsoft is releasing a patch to proactively address this issue.
Affected Software Versions
==========================
This vulnerability involves two different products with similar names:
Microsoft (r) Personal Web Server and FrontPage (r) Personal Web Server.
The products can be installed on Windows 95, 98 or Windows NT; however,
none of the products are affected by this vulnerability if installed on
Windows NT.
- Microsoft Personal Web Server is available as part
of Windows 98 and the Windows NT Option Pack (which
can be installed on Windows 95 and 98, as well as
Windows NT). Microsoft Personal Web Server 4.0 is
the only version affected by the vulnerability.
- There is only one version of FrontPage Personal Web Server,
which shipped as part of Microsoft FrontPage 1.1, FrontPage 97,
and FrontPage 98. It is affected by this vulnerability.
Note: Most FrontPage users will not be affected by this vulnerability.
FrontPage 97 and 98 include two personal web servers - FrontPage Personal
Web Server and Microsoft Personal Web Server 2.0 - and by default install
the latter, which is not affected by the vulnerability. FrontPage 1.1 does
install the FrontPage Personal Web Server by default.
What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.
Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.
Microsoft has published the following Knowledge Base (KB) articles on this
issue:
- Microsoft Knowledge Base (KB) article Q216453,
FP98: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q216/4/53.asp.
- Microsoft Knowledge Base (KB) article Q217765,
FP97: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/65.asp.
- Microsoft Knowledge Base (KB) article Q217763,
File Access Vulnerability in Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/63.asp
(Note: It might take 24 hours from the original posting of this bulletin for
the KB articles to be visible in the Web-based Knowledge Base.)
What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability poses to their systems and determine whether to download
and install the patch. The only customers who may be affected by this
vulnerability are those who use Windows 95 or 98 to host a personal web
site. As noted above, Windows NT users who host personal web sites are not
affected by this vulnerability.
If you are using Windows 95 or 98 to host a personal web site but have never
installed FrontPage:
You are running Microsoft Personal Web Server. Only version
4.0 requires a patch. To determine whether you are running
version 4.0, right-click on the Personal Web Server icon in
the Windows taskbar system tray (next to the System Clock) and
choose Properties. If a dialog box titled "Personal Web Manager"
appears, then you are running Microsoft Personal Web Server 4.0
and need to install the patch located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
If the title is anything other than "Personal Web Manager", you
do not need the patch.
If you are using Windows 95 or 98 to host a personal web site and have
installed FrontPage:
As detailed in Affected Software Versions, most users of Microsoft
FrontPage are not affected by this vulnerability. Use the following
guidelines to determine if you need this patch:
If you are using FrontPage 98:
1. Start FrontPage, then open a web site on the local machine
by selecting the Open FrontPage Web command from the File menu.
2. On the Tools Menu, select Web Settings. Select the Configuration tab.
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0",
Microsoft Personal Web Server 4.0 is installed and you should
apply the patch located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
4. If the value in the "Server Version" field reads
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the
FrontPage Personal Web Server is installed and you should install
the patch for FrontPage 98 users of the FrontPage Personal Web Server
located at
http://officeupdate.microsoft.com/downloadDetails/fppws98.htm.
5. If the value in the "Server Version" field is any other value, you
do not need the patch.
If you are using FrontPage 97:
1. Start FrontPage, then open a web site on the local machine by
selecting the Open FrontPage Web command from the File menu.
2. On the Tools Menu, select Web Settings. Select the Configuration tab.
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0",
Microsoft Personal Web Server 4.0 is installed and you should
apply the patch at located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
4. If the value in the "Server Version" field reads
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the
FrontPage Personal Web Server is installed and you should upgrade to
Microsoft Personal Web Server 4.0, which can be downloaded from
http://www.microsoft.com/windows/ie/pws/default.htm, then install
the patch for Microsoft Personal Web Server 4.0 located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
(Users needing remote authoring should follow a different upgrade
path, detailed in Microsoft Knowledge Base Article Q217765,
FP97: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/65.asp)
5. If the value in the "Server Version" field is any other value, you
do not need the patch.
If you are using FrontPage 1.1:
You need to upgrade to Microsoft Personal Web Server 4.0, which can be
downloaded from http://www.microsoft.com/windows/ie/pws/default.htm,
then install the patch for Microsoft Personal Web Server 4.0 located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-010,
Patch Available for File Access Vulnerability in Personal
Web Server (the Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-010.asp.
- Microsoft Knowledge Base Article Q216453,
FP98: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q216/4/53.asp
- Microsoft Knowledge Base Article Q217765,
FP97: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/65.asp
- Microsoft Knowledge Base Article Q217763,
File Access Vulnerability in Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/63.asp
(Note: It might take 24 hours from the original posting of this bulletin for
the KB articles to be visible in the Web-based Knowledge Base.)
Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- March 26, 1999: Bulletin Created
For additional security-related information about Microsoft
products, please visit http://www.microsoft.com/security.
---------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:40 PDT