The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Re-release of Patch for "Double Byte Code Page" Vulnerability ------------------------------------------------------------- August 20, 1999 Issue ===== Microsoft has identifed and corrected a regression error in the IIS 4.0 version of the previously-released patch for the "Double Byte Code Page" vulnerability. The corrected patch has been re-released, and an updated security bulletin is available at http://www.microsoft.com/security/bulletins/ms99-022.asp. Details ======= Shortly after releasing the patch for the "Malformed HTTP Request Header" vulnerability (http://www.microsoft.com/Security/Bulletins/ms99-029.asp), Microsoft discovered a regression error in it. We investigated all previously-released patches to determine whether any others were affected by the error, and discovered that one other patch was affected -- the IIS 4.0 version of the patch for the "Double Byte Code Page" vulnerability. On August 16, 1999, we re-released the patch for the "Malformed HTTP Request Header" vulnerability, and today are re-releasing the patch for the "Double Byte Code Page" vulnerability. We have verified that no other security patches are affected by this vulnerability, and have corrected our code base to eliminate the error from all future IIS 4.0 releases. The regression error is completely unrelated to the vulnerabilities, and does not change our diagnosis of either. The error occurs if the IIS log file grows to a size that is an exact multiple of 64KB; if this happens, the server will hang. The problem can be resolved by stopping the IIS service, starting a new log file, and restarting the IIS service. The regression error affected only IIS 4.0, and was introduced after Windows NT 4.0 Service Pack 5. How to Identify the Re-released Patches ======================================= - The re-released patches for the "Double Byte Code Page" are timestamped August 17, 1999. (Please note that the IIS 3.0 patches were unaffected by the regression error, so they are still timestamped June 24, 1999). - The re-released patches for the "Malformed HTTP Request Header" are timestamped August 12, 1999. What Customers Should Do ======================== You do not need to take any action if ANY of the following apply to you: - You are running IIS 3.0. - You have not installed any IIS 4.0 patches released after Windows NT 4.0 Service Pack 5. - You have installed the re-released patch for the "Malformed HTTP Request Header" vulnerability. You need to take action if ALL of the following apply to you: - You applied the original version of either the "Double Byte Code Page" patch or the "Malformed HTTP Request Header" patch. - You have not applied the re-released version of either patch. If you need to take action, you should apply the re-released patches for either the "Maformed HTTP Request Header" or "Double Byte Code Page" vulnerabilities. Applying either of the patches will correct the error. It's not necessary to "back out" either of the original patches; just download the new version of either patch and install it. Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. --------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:46 PDT