Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Update to Microsoft Security Bulletin MS00-086
From: Microsoft Security Response Center (secureMICROSOFT.COM)
Date: Fri Nov 10 2000 - 20:31:35 CST
- Next message: SNS Research: "Rideway PN Telnet DoS"
- Previous message: Georgi Guninski: "IE 5.x Win2000 Indexing service vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We have updated Microsoft Security Bulletin MS00-086
provide the following additional information:
* There is an additional restriction on the vulnerability. As
originally reported, the malicious user would need to request a file
via a particular type of malformed URL in order to exploit the
vulnerability. However, the request would only be processed if (a)
it requested a .bat or .cmd file; (b) the file actually existed and
(c) the malicious user had execute permissions on the file. This
would make the vulnerability more difficult to exploit than
* IIS 4.0 is affected by the vulnerability, but only if it's used in
conjunction with a Windows NT 4.0 service pack prior to Service Pack
6a. Customers running IIS 4.0 on SP6a are not affected by it.
Service Pack 6a is available at
The updated bulletin has additional details. Regards,
Security Program Manager
Microsoft Security Response Center
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net