OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Update to Microsoft Security Bulletin MS00-086
From: Microsoft Security Response Center (secureMICROSOFT.COM)
Date: Fri Nov 10 2000 - 20:31:35 CST


-----BEGIN PGP SIGNED MESSAGE-----

Hi All -

We have updated Microsoft Security Bulletin MS00-086
(http://www.microsoft.com/technet/security/bulletin/MS00-086.asp), to
provide the following additional information:
* There is an additional restriction on the vulnerability. As
originally reported, the malicious user would need to request a file
via a particular type of malformed URL in order to exploit the
vulnerability. However, the request would only be processed if (a)
it requested a .bat or .cmd file; (b) the file actually existed and
(c) the malicious user had execute permissions on the file. This
would make the vulnerability more difficult to exploit than
originally reported.
* IIS 4.0 is affected by the vulnerability, but only if it's used in
conjunction with a Windows NT 4.0 service pack prior to Service Pack
6a. Customers running IIS 4.0 on SP6a are not affected by it.
Service Pack 6a is available at
http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6
.asp

The updated bulletin has additional details. Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOgyvXI0ZSRQxA/UrAQEiVQgAlYPjRh+kyZ2qYodTBT3SocTof1SjVShB
0VZB9KvIagWCjE4E8J8G04IhTICW4PMZPFuRrRVM47rxjGFQaw0lH1FBRaJ9XV4n
b8bvacwu5jBcw7NaTcMcx17AbxznyMDkwPG/jLtzi/Ss8s06xxTfSQU9+lxOmnmA
aR1himlKLmgLAU9cksnUogRsHmOjW4ChzF+zjYJPNfV039lDZFbc3gzI1BcMYOR7
FagOR5wV5yDRPRE7dL/YS15x0/S0AKHC5HAe9sdYqOkJGOw+QGvl3xjGt/tpw4Fd
PNuRpBzBoAxIeykIWzP7FWp4bFb+IPM11OMaOt93i8jtXrh0Z79dHw==
=jYJu
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net