-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We have updated Microsoft Security Bulletin MS00-086
(http://www.microsoft.com/technet/security/bulletin/MS00-086.asp), to
provide the following additional information:
There is an additional restriction on the vulnerability. As
originally reported, the malicious user would need to request a file
via a particular type of malformed URL in order to exploit the
vulnerability. However, the request would only be processed if (a)
it requested a .bat or .cmd file; (b) the file actually existed and
(c) the malicious user had execute permissions on the file. This
would make the vulnerability more difficult to exploit than
originally reported.
IIS 4.0 is affected by the vulnerability, but only if it's used in
conjunction with a Windows NT 4.0 service pack prior to Service Pack
6a. Customers running IIS 4.0 on SP6a are not affected by it.
Service Pack 6a is available at
http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6
.asp
The updated bulletin has additional details. Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOgyvXI0ZSRQxA/UrAQEiVQgAlYPjRh+kyZ2qYodTBT3SocTof1SjVShB
0VZB9KvIagWCjE4E8J8G04IhTICW4PMZPFuRrRVM47rxjGFQaw0lH1FBRaJ9XV4n
b8bvacwu5jBcw7NaTcMcx17AbxznyMDkwPG/jLtzi/Ss8s06xxTfSQU9+lxOmnmA
aR1himlKLmgLAU9cksnUogRsHmOjW4ChzF+zjYJPNfV039lDZFbc3gzI1BcMYOR7
FagOR5wV5yDRPRE7dL/YS15x0/S0AKHC5HAe9sdYqOkJGOw+QGvl3xjGt/tpw4Fd
PNuRpBzBoAxIeykIWzP7FWp4bFb+IPM11OMaOt93i8jtXrh0Z79dHw==
=jYJu
-----END PGP SIGNATURE-----