SecurityvulnsSECURITYVULNS:DOC:913Update to Microsoft Security Bulletin MS00-086
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We have updated Microsoft Security Bulletin MS00-086
(http://www.microsoft.com/technet/security/bulletin/MS00-086.asp), to
provide the following additional information:
-
There is an additional restriction on the vulnerability. As
originally reported, the malicious user would need to request a file
via a particular type of malformed URL in order to exploit the
vulnerability. However, the request would only be processed if (a)
it requested a .bat or .cmd file; (b) the file actually existed and
(c) the malicious user had execute permissions on the file. This
would make the vulnerability more difficult to exploit than
originally reported.
-
IIS 4.0 is affected by the vulnerability, but only if it's used in
conjunction with a Windows NT 4.0 service pack prior to Service Pack
6a. Customers running IIS 4.0 on SP6a are not affected by it.
Service Pack 6a is available at
http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6
.asp
The updated bulletin has additional details. Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOgyvXI0ZSRQxA/UrAQEiVQgAlYPjRh+kyZ2qYodTBT3SocTof1SjVShB
0VZB9KvIagWCjE4E8J8G04IhTICW4PMZPFuRrRVM47rxjGFQaw0lH1FBRaJ9XV4n
b8bvacwu5jBcw7NaTcMcx17AbxznyMDkwPG/jLtzi/Ss8s06xxTfSQU9+lxOmnmA
aR1himlKLmgLAU9cksnUogRsHmOjW4ChzF+zjYJPNfV039lDZFbc3gzI1BcMYOR7
FagOR5wV5yDRPRE7dL/YS15x0/S0AKHC5HAe9sdYqOkJGOw+QGvl3xjGt/tpw4Fd
PNuRpBzBoAxIeykIWzP7FWp4bFb+IPM11OMaOt93i8jtXrh0Z79dHw==
=jYJu
-----END PGP SIGNATURE-----