15 June this year a new security hole in Microsoft's web server, Internet Information Server (IIS) version 4, was reported by eEye Digital Security Team.

This involves a denial of service threat with buffer overruns in certain server side modules. The vulnerability can cause the web server to crash. However, the security hole is more serious, as it lets a malicious person execute program code on the web server.

The IIS module which is being exposed to this security hole, is part of the default installation of IIS version 4. Neither of Microsoft's Windows NT service packs 1-5 do fix this security hole. The vulnerability occurs during requests for . HTR, .STM and .IDC files, and how such requests are processed.

Internet Information Server may be installed as part of other Microsoft products. If you are unsure whether you are vulnerable or not, you may search for the files

• ISM.DLL
• SSINC.DLL
• HTTPODBC.DLL

If any of these are present on your system, you are potentially vulnerable to this exploit.

A way to eliminate one of the dangers manually (the .HTR extensions) was published from Microsoft the same day the exploit was annonced. Two days later Microsoft released a hotfix which supposedly eliminates this security hole for all file types involved.

A the source code for a malicions worm which utilizes this security hole has been posted in certain news groups on the Internet. This worm - when compiled - has a huge potential for propagation, and may cause worse problems in the Internet community than the recent ExploreZip worm.

When this security information was written, there have been no reports that this worm is "in the wild".

Norman strongly advise all users of Internet Information Server version 4 to install the hotfix supplied by Microsoft.

Below are some links with more information about this vulnerability:

• NTBugtraq's summary
• Microsoft's security bulletin
• Microsoft's knowledge base article regarding this vulnerability
• eEye Digital Security Team's alert

Per Olav Førland