COMMAND

    SSL

SYSTEMS AFFECTED

    - Microsoft IIS 4.0
    - Microsoft Site Server 3.0
    - Microsoft Site Server Commerce Edition 3.0

PROBLEM

    Following is based on Microsoft Security Bulletin.  The SSL  ISAPI
    filter provided as part of IIS supports concurrent use.  When used
    in  this  mode,  a   synchronization  problem  could induce a race
    condition and cause  a single buffer  of plaintext to   be leaked.
    The conditions under  which this could  happen are very  rare, and
    could only occur when  a single user's session was  multi-threaded
    and  traffic  volumes  were  extremely  high.   The  scope of this
    vulnerability is very limited.  The leaked plaintext would  always
    be  sent  to  its   owner,  never  another user. Also, because the
    leaked data  would fail  its integrity  check, the   effect of the
    leak would be  to cause the  SSL session to  immediately collapse.
    The condition could  not be induced  by a hostile  user, and would
    offer at  best a  target of  opportunity.   Finally, it  is  worth
    noting that this vulnerability only affects the SSL ISAPI  filter,
    not the  secure communications  capability provided  by Windows NT
    via Schannel.

SOLUTION

    Patch availability:

    - x86:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=16186
    - Alpha:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=16187

    This and other patches are available from the Microsoft Download
    Center:

        http://www.microsoft.com/downloads/search.asp?Search=Keyword&Value='security_patch'&OpSysID=1)