Home > Company > News > 2002 Archives > PR20020410
News
eEye Digital Security Announces a Major Vulnerability in Default Installations of Windows NT 4.0 and Windows 2000 Server Systems Running IIS

(ALISO VIEJO, CA) April 10, 2002 — eEye Digital Security has discovered a critical security vulnerability in Microsoft's (www.microsoft.com) Internet Information Services Web Server software. The vulnerability specifically is within the IIS ASP (Active Server Pages) ISAPI filter. Loaded by default on all Windows NT 4.0 and Windows 2000 Server systems, the .ASP Buffer Overflow vulnerability can be exploited remotely to execute code of an attacker's choice.

The ISAPI filter enables web-based applications to deliver dynamic, interactive web content. However, eEye has discovered that the decoding and interpretation of form data exchanged via chunked encoding can force IIS to overwrite data and expose the server to intrusion. Network administrators are urged to immediately install the patch released by Microsoft at http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

eEye discovered the Windows 2000 and NT4 IIS .ASP Buffer Overflow vulnerability while enhancing eEye's SecureIIS™ Application Firewall product. Clients using SecureIIS version 1.2.5 and above are protected from any attack that may potentially leverage this vulnerability. SecureIIS is able to proactively analyze and halt unconventional communication between IIS servers and clients, thus preventing intrusion via the .ASP Buffer Overflow vulnerability. IIS server customers using intrusion detection systems or server "hardening" tools from other vendors are potentially exposed to this vulnerability unless corrected via proper installation of the Microsoft patch.

eEye alerted Microsoft's security team immediately upon discovery of the vulnerability and has worked closely with Microsoft on the development of a patch and the expeditious alerting of administrators worldwide.

For further information and a technical description of the vulnerability please visit:
http://www.eeye.com/html/Research/Advisories/AD20020410.html

About eEye Digital Security

eEye Digital Security® is pioneering a new class of security products:integrated threat management. This next-generation of security detects vulnerabilities and threats, prevents intrusions, protects all of an enterprise’s key computing resources, from endpoints to network assets to web sites and web applications, all while providing a centralized point of security management and network visibility.eEye’s research team is consistently the first to identify new threats in the wild, and our products leverage that research to deliver on the goal of making network security as easy to use and reliable as networking itself. Founded in 1998 and headquartered in Orange County, California, eEye Digital Security protects more than 9,000 corporate and government organizations worldwide, including half of the Fortune 100. For more information, please visit www.eeye.com

Primary Agency Contact

Victor Cruz
MediaPR
(508) 655-4397 eEye@mediapr.net

EMEA Agency Contact

Ralph Klöwer
INTERFACE Relations
+49 (0) 89-552 688-66 r.kloewer@interface.pr.de

Corporate Contact

Stacy Newman
eEye Digital Security
(949) 900-4131 press@eEye.com