COMMAND

    IIS

SYSTEMS AFFECTED

    Microsoft Internet Information Server 4.0, 5.0

PROBLEM

    Following  is  based  on  a  Security Bulletin from the Microsoft.
    Special characters  can be  embedded in  URLs by  use of so-called
    escaped character sequences.  By providing a   specially-malformed
    URL  with  an  extremely  large  number  of  escaped characters, a
    malicious  user  could  arbitrarily   increase  the  work   factor
    associated with parsing the escaped characters, thereby  consuming
    much or all of the CPU availability on the  server and  preventing
    useful work from being done.

    The vulnerability  does not  provide any  capability to  cause the
    server to  fail, or  to add,  change or  delete data  on it.   The
    slowdown would  only last  until the  URL had  been processed,  at
    which point service would return to normal.

    Microsoft thanks Vanja  Hrustic of the  Relay Group for  reporting
    the "Myriad Escaped Character"  vulnerability to them and  working
    with them to protect customers.

SOLUTION

    Patch availability:

      - Internet Information Server 4.0
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292
      - Internet Information Server 5.0
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286