COMMAND

    IIS and Exchange

SYSTEMS AFFECTED

    IIS 5.0 and Exchange 2000

PROBLEM

    Following  is  based  on  MS  Security  Alert  MS01-014.   IIS 5.0
    contains a flaw  affecting the way  that an URL  is handled if  it
    has  a  specific  construction  and  its  length  is within a very
    narrow range of values.   If such an URL  were repeatedly sent  to
    an affected system,  a confluence of  events could cause  a memory
    allocation  error  that  would  result  in  the failure of the IIS
    service.

    Exchange 2000 is affected by  the same vulnerability.  To  support
    web-based  mail  clients,  it  introduces  the  ability to address
    items on the store  via URLs.  This  is done in part  by using IIS
    5.0,  and  in  part  via  code  that is specific to Exchange 2000.
    Both pieces of code contain the flaw, but the effect of exploiting
    the vulnerability via either would be the same -- it could be used
    to cause the IIS service to fail, but could not be used to  attack
    the Exchange service itself.   That is, successfully attacking  an
    Exchange  server  via  this  vulnerability would disrupt web-based
    mail clients' use of the  server, but not that of  MAPI-based mail
    clients like Outlook.

    Because the  flaw occurs  in two  different code  modules, one  of
    which installs as  part of IIS  5.0 and both  of which install  as
    part  of  Exchange  2000,  it  is  important  for  Exchange   2000
    administrators to install both the IIS and Exchange patches.

    - The  vulnerability would  not enable  the attacker  to gain  any
      administrative control  over the  server, or  to alter  any data
      on it.
    - The affected  services automatically restart  in the event  of a
      failure,  so  an  affected  system  would  resume service almost
      immediately.
    - A  successful  attack  against  an  Exchange  server would  only
      disrupt web-based mail clients' use  of the server.  The  server
      would  continue  to  be  available  for  MAPI-based clients like
      Outlook.
    - The ISAPI involved in this vulnerability authenticates the  user
      prior  to  servicing  the  request,  so  a  properly  configured
      Exchange server would be at less risk than an IIS server.

    Kevin Kotas was the one who found this originally.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin

        http://www.microsoft.com/technet/security/bulletin/ms01-014.asp

    for information on obtaining this patch.