Microsoft Releases Two Security Patches

Microsoft yesterday released two security patches for their Internet Information Server (IIS). The first eliminates an escape character parsing vulnerability, while the second patches a virtual directory naming vulnerability.

The "Escape Character Parsing" vulnerability could allow files on a web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications. RFC 1738 specifies that Web servers must allow hexadecimal digits to be input in URLs by preceding them with the so-called “escape” character, a percent sign. IIS complies with this specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

Under certain conditions, the "Virtual Directory Naming" vulnerability could cause a web server to send the source code of .ASP and other files to a visiting user. If a file on one of the affected web server products resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worse case, the source code of .ASP or other files could be sent to the browser.

Visit the Microsoft Security Advsior Web Site located at http://www.microsoft.com/security for more information and to download these latest patches.