MS03-018: May 2003 cumulative patch for Internet Information Services (IIS)


Symptoms

Microsoft has released a cumulative patch for Internet Information Server (IIS) 4.0, Internet Information Services (IIS) 5.0, and IIS 5.1. This patch includes the functionality of all security patches that have been released for IIS 4.0 since Windows NT 4.0 Service Pack 6a (SP6a), all security patches that have been released for IIS 5.0 since Windows 2000 Service Pack 2 (SP2), and all security patches that have been released for IIS 5.1. Additionally, this patch includes fixes for the following newly discovered security vulnerabilities that affect IIS 4.0, 5.0, and 5.1:
  • A cross-site scripting (CSS) vulnerability that affects IIS 4.0, 5.0, and 5.1. This vulnerability involves the error message that is returned to advise that a requested URL has been redirected. An attacker who lures a user to click a link on the attacker's Web site could relay a request that contains a script to a third-party Web site running IIS. This request could cause the third-party site's response (still including the script) to be sent to the user. The script could then run by using the security settings of the third-party site instead of the security settings of the attacker's site.
  • A buffer overrun that results because IIS 5.0 does not correctly validate requests for specific types of Web pages that are known as server-side includes. An attacker would have to be able to upload a server-side include page to a vulnerable IIS server. If the attacker then requests this page, a buffer overrun might occur. This buffer overrun would permit the attacker to run the code of his or her choice on the server with user-level permissions.
  • A denial of service vulnerability that results because of a flaw in the way that IIS 4.0 and 5.0 allocate memory requests when they construct headers to be returned to a Web client. An attacker would have to be able to upload an ASP page to a vulnerable IIS server. When the attacker calls to this ASP page, the page tries to return a very large header to the calling Web client. Because IIS does not limit the memory that can be used in this case, this might cause IIS to run out of memory and fail.
  • A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly handle an error condition when a WebDAV request that is too long is passed to them. An attacker could use this problem to cause IIS to fail. However, by default, both IIS 5.0 and 5.1 restart immediately after this failure.
Mitigating factors for Redirection Cross-Site Scripting:
  • IIS 6.0 is not affected.
  • The vulnerability can only be exploited if the attacker can lure another user to visit a Web page and then click a link on the Web page, or lure the user to open an HTML mail.
  • The destination page must be an ASP page that uses Response.Redirect to redirect the client to a new URL that is based on the incoming URL of the current request.
Mitigating factors for Server Side Include Web Pages Buffer Overrun:
  • IIS 4.0, IIS 5.1, and IIS 6.0 are not affected.
  • By default, the IIS Lockdown tool disables the Ssinc.dll mapping (http://technet.microsoft.com/en-us/library/dd450372.aspx). This setting blocks this type of attack.
  • By default, IIS 5.0 runs under a user account and not under the system account. Therefore, an attacker who successfully exploited this vulnerability would gain only user level permissions instead of administrative level permissions.
  • An attacker must be able to upload files to the IIS Server.
Mitigating factors for Headers Denial of Service:
  • IIS 5.1 is not affected.
  • An attacker must be able to upload files to the IIS server.
  • IIS 5.0 automatically restarts after this failure.
Mitigating factors for WebDAV Denial of Service:

Resolution

Hotfix information

Caution If you have an application that is running under IIS and the application extends the IIS metabase schema, installing the security rollup fix may remove these extensions and your application may not function correctly. To determine if a third-party application extends the metabase schema, contact the third-party vendor.

Some ProClarity products are known to be affected by this security rollup fix, including the following products:
  • ProClarity Enterprise Server 4.0 and later
  • ProClarity Analytics Server 5.0, 5.1, and 5.2
To resolve the issue BEFORE you install the security rollup, use one of the following options:
  • Create a backup of the metabase, install the security rollup fix, and then restore the metabase afterward. (Note that Microsoft does not recommend this because of possible compatibility issues.)


    For more information about how to create a metabase backup, click the following article number to view the article in the Microsoft Knowledge Base:

    302573 How to back up and restore IIS

  • Install Microsoft Windows 2000 Service Pack 4 (SP4). Windows 2000 SP4 includes the security rollup.
  • Contact Microsoft Product Support Services to receive a hotfix that corrects this problem.
If you have already installed the security rollup fix, and you have a problem with your application that extends the IIS metabase schema, the application must re-extend the metabase schema. This may require reinstalling the product.

Service pack information

To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack

Security patch information

For more information about how to resolve this vulnerability, click the following section names to view the sections of this article:

Internet Information Services 5.1

Download information

The following files are available for download from the Microsoft Download Center:

Windows XP Professional (all languages)Windows XP 64-bit Edition (all languages)Release Date: May 28, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.


Prerequisites

This patch requires that you have already installed the 329115 patch. If 329115 is not present, client-side certificates will be rejected. You can restore this functionality by installing the 329115 patch.
For more information about the 329115 patch, click the following article number to view the article in the Microsoft Knowledge Base:

329115 MS02-050: Certificate validation flaw might permit identity spoofing

This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1).For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Installation information

This patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
To verify that the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114
Deployment information

To install the patch without any user intervention, use the following command line:
q811114_wxp_sp2_x86_enu /u /q
To install the patch without forcing the computer to restart, use the following command line:
q811114_wxp_sp2_x86_enu /z
Note You can combine these switches in one command line.

For information about how to deploy this patch by using Software Update Services, visit the following Microsoft Web site:Restart requirement

You do not have to restart your computer after you apply this patch. If a dialog box appears that states that you must restart your computer after you apply this patch, you can safely ignore it.

Removal information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ811114$\Spuninst folder, and it supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Patch replacement information

This patch replaces the patches that are discussed in the following Microsoft Knowledge Base articles:
327696 MS02-062: October 2002 cumulative patch for Internet Information Services

321599 MS02-028: Heap overrun in HTR-chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version        Size       File name     Platform
--------------------------------------------------------------------
21-Mar-2003 22:14 5.1.2600.1181 340,992 Asp51.dll i386
08-Aug-2002 12:31 2,411 Default.asp i386
21-Mar-2003 22:14 5.1.2600.1173 117,248 Ftpsv251.dll i386
21-Mar-2003 22:14 6.0.2600.1189 240,640 Httpext.dll i386
21-Mar-2003 22:14 5.1.2600.1172 55,296 Httpod51.dll i386
21-Mar-2003 22:14 5.1.2600.1152 129,536 Iische51.dll i386
21-Mar-2003 22:14 6.0.2600.1167 242,176 Infocomm.dll i386
21-Mar-2003 22:14 6.0.2600.1182 65,024 Isatq.dll i386
21-Mar-2003 22:14 6.0.2600.1167 10,752 Lonsint.dll i386
08-Aug-2002 12:31 19,224 Query.asp i386
08-Aug-2002 12:31 6,527 Search.asp i386
17-Dec-2002 23:03 5.1.2600.1152 11,264 Spiisupd.exe i386
21-Mar-2003 22:14 5.1.2600.1152 40,448 Ssinc51.dll i386
21-Mar-2003 22:14 5.1.2600.1166 340,992 W3svc.dll i386

21-Mar-2003 22:14 5.1.2600.1181 1,057,792 Asp51.dll IA64
08-Aug-2002 12:32 2,411 Default.asp
21-Mar-2003 22:14 5.1.2600.1173 289,792 Ftpsv251.dll IA64
21-Mar-2003 22:14 6.0.2600.1189 934,400 Httpext.dll IA64
21-Mar-2003 22:14 5.1.2600.1172 144,384 Httpod51.dll IA64
21-Mar-2003 22:14 5.1.2600.1152 155,136 Iische51.dll IA64
21-Mar-2003 22:14 6.0.2600.1167 669,696 Infocomm.dll IA64
21-Mar-2003 22:14 6.0.2600.1182 186,368 Isatq.dll IA64
21-Mar-2003 22:14 6.0.2600.1167 29,696 Lonsint.dll IA64
08-Aug-2002 12:32 19,224 Query.asp
08-Aug-2002 12:32 6,527 Search.asp
18-Dec-2002 00:05 5.1.2600.1152 24,064 Spiisupd.exe IA64
21-Mar-2003 22:14 5.1.2600.1152 96,768 Ssinc51.dll IA64
21-Mar-2003 22:14 5.1.2600.1166 921,088 W3svc.dll IA64
The following files are included to support the installation of the patch:
   Date         Time   Version   Size     File name     Platform
-------------------------------------------------------------
27-Feb-2002 19:58 4,092 Eula.txt i386
24-Mar-2003 17:38 11,508 Q811114.cat i386
21-Mar-2003 19:56 5.3.16.5 18,944 Spcustom.dll i386
21-Mar-2003 19:54 5.3.16.5 6,656 Spmsg.dll i386
21-Mar-2003 19:56 5.3.16.5 89,088 Spuninst.exe i386
21-Mar-2003 19:54 5.3.16.5 411,136 Update.exe i386
21-Mar-2003 22:14 5,219 Update.inf i386
21-Mar-2003 22:14 936 Update.ver i386

11-Sep-2002 14:04 4,092 Eula.txt IA64
24-Mar-2003 17:38 11,508 Q811114.cat IA64
21-Mar-2003 19:55 5.3.16.5 52,736 Spcustom.dll IA64
21-Mar-2003 19:55 5.3.16.5 6,144 Spmsg.dll IA64
21-Mar-2003 19:55 5.3.16.5 214,528 Spuninst.exe IA64
21-Mar-2003 19:55 5.3.16.5 859,648 Update.exe IA64
21-Mar-2003 22:14 5,255 Update.inf IA64
21-Mar-2003 22:14 939 Update.ver IA64
You can also verify the files that this patch is installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114\Filelist
back to the section list

Internet Information Services 5.0

Download information

The following file is available for download from the Microsoft Download Center:

All languagesRelease Date: May 28, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.


Prerequisites

This patch requires that you have already installed the 329115 patch. If 329115 is not present, client-side certificates will be rejected. You can restore this functionality by installing the 329115 patch.
For more information about the 329115 patch, click the following article number to view the article in the Microsoft Knowledge Base:

329115 MS02-050: Certificate validation flaw might permit identity spoofing

This patch requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3).For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation information

This patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
To verify that the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114
Deployment information

To install the patch without any user intervention, use the following command line:
q811114_w2k_sp4_x86_en /u /q
To install the patch without forcing the computer to restart, use the following command line:
q811114_w2k_sp4_x86_en /z
Note You can combine these switches in one command line.

For information about how to deploy this patch by using Software Update Services, visit the following Microsoft Web site: Restart requirement

You do not have to restart your computer after you apply this hotfix. The installer stops the correct services, applies the patch, and then restarts the services. However, if the installer cannot stop the services for any reason, you must restart your computer after Setup completes. If this behavior occurs, a message appears that prompts you to restart the computer.

Removal information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ811114$\Spuninst folder. This utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Patch replacement information

This patch replaces the patches that are discussed in the following Microsoft Knowledge Base articles:
327696 MS02-062: October 2002 cumulative patch for Internet Information Services

321599 MS02-028: Heap overrun in HTR-chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version        Size     File name
--------------------------------------------------------
26-Feb-2003 13:07 5.0.2195.6628 246,544 Adsiis.dll
26-Feb-2003 13:07 5.0.2195.6672 337,168 Asp.dll
22-Mar-2002 16:15 2,413 Default.asp
26-Feb-2003 13:07 5.0.2195.6628 118,032 Ftpsvc2.dll
21-Mar-2003 22:16 5.0.2195.6692 246,544 Httpext.dll
26-Feb-2003 13:07 5.0.2195.6667 57,104 Httpodbc.dll
26-Feb-2003 13:07 5.0.2195.6664 122,128 Idq.dll
26-Feb-2003 13:07 5.0.2195.6628 121,104 Iischema.dll
26-Feb-2003 13:07 5.0.2195.6628 56,592 Iisext.dll
26-Feb-2003 13:07 5.0.2195.6666 78,608 Iislog.dll
20-Mar-2002 09:59 30 Iisperf.txt
26-Feb-2003 13:07 5.0.2195.6620 122,640 Iisrtl.dll
26-Feb-2003 13:07 5.0.2195.6666 248,592 Infocomm.dll
26-Feb-2003 13:07 5.0.2195.6666 62,736 Isatq.dll
26-Feb-2003 13:07 5.0.2195.6620 46,352 Ism.dll
26-Feb-2003 13:07 5.0.2195.6666 12,048 Lonsint.dll
26-Feb-2003 13:07 5.0.2195.6620 26,896 Mdsync.dll
24-Sep-2002 13:39 5.0.2195.6607 6,928 Perfvd.exe
22-Mar-2002 16:15 19,178 Query.asp
22-Mar-2002 16:15 5,571 Search.asp
17-Oct-2002 17:00 5.0.2195.6611 13,072 Spiisupd.exe
26-Feb-2003 13:07 5.0.2195.6624 41,232 Ssinc.dll
26-Feb-2003 13:07 5.0.2195.6672 349,968 W3svc.dll
26-Feb-2003 13:07 5.0.2195.6620 72,464 Wam.dll
The following files are included to support the installation of the patch:
   Date         Time   Version   Size     File name
---------------------------------------------------
15-Nov-2001 19:27 5,149 Empty.cat
01-Apr-2002 21:46 4,092 Eula.txt
21-Mar-2003 23:18 14,231 Q811114.cat
14-Mar-2003 15:51 5.3.16.5 18,944 Spcustom.dll
14-Mar-2003 15:48 5.3.16.5 6,656 Spmsg.dll
14-Mar-2003 15:51 5.3.16.5 89,088 Spuninst.exe
14-Mar-2003 15:48 5.3.16.5 411,136 Update.exe
21-Mar-2003 20:49 37,977 Update.inf
21-Mar-2003 23:10 1,586 Update.ver
You can also verify the files that this patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114\Filelist
back to the section list

Internet Information Server 4.0

Download information

The following file is available for download from the Microsoft Download Center:

All languagesRelease Date: May 28, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.


Prerequisites

Microsoft Internet Information Server (IIS) is not intended for use on Windows NT Server 4.0, Terminal Server Edition, and is not supported. Microsoft recommends that customers who run IIS 4.0 on Windows NT Server 4.0, Terminal Server Edition, protect their systems by removing IIS 4.0.

This patch requires that you have already installed the 329115 patch. If 329115 is not present, client-side certificates will be rejected. You can restore this functionality by installing the 329115 patch.
For more information about the 329115 patch, click the following article number to view the article in the Microsoft Knowledge Base:

329115 MS02-050: Certificate validation flaw might permit identity spoofing

This patch requires Windows NT 4.0 Service Pack 6a (SP6a).
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the Latest Windows NT 4.0 service pack

Installation information

This patch supports the following Setup switches:
  • /y : Perform removal (only with /m or /q ).
  • /f : Force programs to be closed at shutdown.
  • /n : Do not create an Uninstall folder.
  • /z : Do not restart when update completes.
  • /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
  • /m : Use Unattended mode with user interface.
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
To verify that the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811114
Deployment information

To install the patch without any user intervention, use the following command line:
q811114i.exe /q
To install the patch without forcing the computer to restart, use the following command line:
q811114i.exe /z
Note You can combine these switches in one command line.

For information about how to deploy this patch by using Software Update Services, visit the following Microsoft Web site: Restart Requirement

To install this patch without restarting your computer, follow these steps:
  1. Stop all IIS services.
  2. Install the patch that contains the hotfix by using the
    /zswitch.
  3. Restart the IIS services.
Removal information

System administrators can use the Hotfix.exe utility to remove this patch. Hotfix.exe is in the %Windir%\$NTUninstallQ811114$ folder, and it supports the following Setup switches:
  • /y : Perform removal (only with /m or /q ).
  • /f : Force programs to be closed at shutdown.
  • /n : Do not create an Uninstall folder.
  • /z : Do not restart when update completes.
  • /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
  • /m : Use Unattended mode with user interface.
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Patch replacement information

This patch replaces the patches that are discussed in the following Microsoft Knowledge Base articles:
327696 MS02-062: October 2002 cumulative patch for Internet Information Services

321599 MS02-028: Heap overrun in HTR-chunked encoding might enable Web server compromise

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version     Size     File name
-----------------------------------------------------
07-Mar-2003 19:58 4.2.785.1 214,544 Adsiis.dll
07-Mar-2003 19:58 4.2.785.1 332,224 Asp.dll
02-Apr-2001 20:55 4.0.2.4701 593,976 Fp4autl.dll
07-Mar-2003 19:58 4.2.785.1 81,888 Ftpsvc2.dll
07-Mar-2003 19:57 4.2.785.1 55,936 Httpodbc.dll
13-Jul-2001 20:14 5.0.1782.4 193,296 Idq.dll
07-Mar-2003 19:58 4.2.785.1 99,424 Iischema.dll
07-Mar-2003 19:56 4.2.785.1 63,984 Iislog.dll
07-Mar-2003 19:57 4.2.785.1 187,344 Infocomm.dll
07-Mar-2003 19:56 4.2.785.1 47,936 Isatq.dll
07-Mar-2003 19:56 4.2.785.1 29,520 Iscomlog.dll
07-Mar-2003 20:00 4.2.785.1 54,560 Ism.dll
07-Mar-2003 19:59 4.2.785.1 31,872 Mdsync.dll
07-Mar-2003 20:01 4.2.785.1 9,680 Schmupd.exe
07-Mar-2003 19:58 4.2.785.1 38,256 Ssinc.dll
07-Mar-2003 19:58 4.2.785.1 25,360 Sspifilt.dll
07-Mar-2003 19:57 4.2.785.1 231,616 W3svc.dll
07-Mar-2003 19:57 4.2.785.1 88,032 Wam.dll
The following files are included to support the installation of the patch.
   Date         Time   Version        Size    File name
-----------------------------------------------------
19-Sep-2002 17:29 4.0.1381.7163 95,504 Hotfix.exe
12-May-2003 21:27 11,327 Hotfix.inf
back to the section list

Status

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies To" section.
This problem was first corrected in Windows XP Service Pack 2.

More Information

For more information about this vulnerability, visit the following Microsoft Web site: Customers who use Site Server must be aware that a previously documented issue that involves intermittent authentication errors affects this patch and a small number of other patches.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

317815 Site Server logon problems occur after you apply certain Windows 2000 hotfixes

These patches do not include fixes for vulnerabilities that involve non-IIS products, such as the Microsoft FrontPage Server Extensions and Microsoft Index Server, although these products are closely associated with IIS and are typically installed on IIS servers. However, there is one exception. The fix for the vulnerability that affects Index Server is included in this patch because of the seriousness of the issue for IIS servers. (This vulnerability is discussed in
Microsoft Security Bulletin MS01-033.) At the time that this article was written, the Microsoft Security Bulletins that discuss these vulnerabilities are as follows:
The fixes for the following vulnerabilities that affect IIS 4.0 are not included in the patch because they require administrative action instead of a software change. Administrators must make sure that they not only apply this patch, but also take the administrative action that is described in the following bulletins:
Properties

Article ID: 811114 - Last Review: Feb 15, 2017 - Revision: 2

Feedback