Microsoft has recently released its Security bulletin MS99-025, which is a re-release of bulletin MS98-004. The security bulletin discusses vulnerabilities in the default installation of Internet Information Server (IIS) version 4 from the Windows NT 4 Option Pack CD.

New information was made available after the initial re-release and adjustments to this bulletin have since been made. The latest version of MS99-025 is available here. 

Microsoft's Internet Information Server is one of the most popular web servers on the Internet. It is highly recommended that users of this take the necessary actions to secure the servers against this vulnerability (see links below).

The issue has to do with Microsoft Data Access Component (MDAC), more specifically the Remote Data Services (RDS) - a component of the MDAC. The vulnerability may allow an unauthorized user to perform actions in a server running IIS version 4 (and 3). Such actions include e.g.:

• Execution of shell commands as a privileged user.
• Unauthorized access to secured, non-published files on the IIS server.

The links below include more information about this vulnerability and information about how to secure the IIS server. Note that there is no patch available to eliminate this security - a change of configuration is needed.

• Microsoft's Frequently Asked Questions to MS99-025 which has step-by-step information about how to secure the server whether one needs RDS functionality or not.
• NTBugtraq's editorial information (written by NTBugtraq editor Ross Cooper) which includes several interesting links which address the vulnerability.
• An interesting (in many ways) observation and discussion of possible exploit methods by a person calling himself .rain.forest.puppy. Note: Long discussion - document is 85kb.

It is strongly advised to secure your IIS server by the methods described in the articles in this list.

Per Olav Førland