[1][USEMAP]
   [2][USEMAP]
   
   
     [3][LINK] 
   
   Allaire Security Bulletin (ASB00-25)
   Microsoft (MS00-063): Patch Available for "Invalid URL" Vulnerability
   
   Originally Posted: September 11, 2000
   Last Updated: September 11, 2000
   Summary
   
   Microsoft has released a patch that eliminates a security
   vulnerability in Microsoft(r) Internet Information Server (IIS). The
   vulnerability could enable a malicious user to prevent a web server
   from providing useful service. This is not a problem with the
   ColdFusion Server, but it is an issue that can affect ColdFusion
   users, as described in the Issue section. Allaire recommends that
   customers follow the instructions posted on the Microsoft Web site to
   address this issue.
   Issue
   
   This issue is clearly explained in the Microsoft Security Bulletin
   (MS00-063):
        If an affected web server received a particular type of invalid
   URL, it could, under certain conditions, start a chain of events that
   would culminate in an invalid memory request that would cause the IIS
   service to fail. This would prevent the server from providing web
   services.
   This vulnerability does not provide the opportunity to compromise any
   data on the server or to usurp any administrative privileges on the
   server. An affected machine could be put back into service by
   restarting the IIS service.
   Although the effect of the vulnerability manifests itself through IIS,
   the underlying problem actually lies within Windows NT 4.0. Microsoft
   engineers worked extensively to identify scenarios for exploiting the
   vulnerability directly through Windows NT 4.0, but did not find any -
   the only scenarios identified to date involve IIS. Nevertheless, it is
   possible that scenarios for exploiting the vulnerability through
   Windows NT 4.0 do exist, and as a result, we recommend that customers
   using Windows NT 4.0 consider applying the patch.      Source:
   Microsoft Security Bulletin (MS00-063) [online]. [Redmond, Washington,
   USA] : Microsoft, September 2000 [cited 06 September 2000]. Available
   from World Wide Web:
   <[4]http://www.microsoft.com/technet/security/bulletin/ms00-063.asp>.
   Affected Software Versions
     * Microsoft Internet Information Server 4.0
       Note: As noted above in the Issue section, the root cause of this
       vulnerability lies in Windows NT 4.0, and Microsoft recommends
       that customers using Windows NT 4.0 consider applying the patch.
       
   What Allaire is Doing
   
   This is not an Allaire product. We are recommending that customers
   reference the information at Microsoft's web site to address this
   issue.
   What Customers Should Do
   
   There is a patch available to correct this problem. It is detailed in
   the following Microsoft Security Bulletin (MS00-063):
   
   [5]http://www.microsoft.com/technet/security/bulletin/ms00-063.asp
   
   Please note: this issue and patch may not be required for all users.
   Allaire customers should review all material in the Microsoft Security
   Bulletin and related documents carefully before applying the patch. As
   always, customers should test patch changes in a testing environment
   before modifying production servers.
   Revisions
   September 11, 2000 -- Bulletin first created. Reporting Security
   Issues
   Allaire is committed to addressing security issues and providing
   customers with the information on how they can protect themselves. If
   you identify what you believe may be a security issue with an Allaire
   product, please send an email to secure@allaire.com. We will work to
   appropriately address and communicate the issue.
   
   Receiving Security Bulletins
   When Allaire becomes aware of a security issue that we believe
   significantly affects our products or customers, we will notify
   customers when appropriate. Typically this notification will be in the
   form of a security bulletin explaining the issue and the response.
   Allaire customers who would like to receive notification of new
   security bulletins when they are released can sign up for our security
   notification service.
   
   For additional information on security issues at Allaire, please visit
   the Security Zone at:
   [6]http://www.allaire.com/security.
   THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS
   IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES,
   EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
   AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE
   CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
   INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
   BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR
   ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   
   Allaire reserves the right, from time to time, to update the
   information in this document with current information.
   
   < a l l a i r e >
   Copyright © 1995-2000 Allaire Corp., All rights reserved.
   [7]Year 2000 (Y2K)    [8]Site problems?    [9]Service questions?
   [10]Privacy Policy

References

   1. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=17464&Method=Full#allaireHome
   2. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=17464&Method=Full#tools
   3. javascript:history.back()
   4. http://www.microsoft.com/technet/security/bulletin/ms00-063.asp
   5. http://www.microsoft.com/technet/security/bulletin/ms00-063.asp
   6. http://www.allaire.com/security
   7. http://www.allaire.com/developer/year2000
   8. mailto:webmaster@allaire.com
   9. mailto:info@allaire.com
  10. http://www.allaire.com/privacy/