Microsoft Security Bulletin MS02-028 (Version 2)

Title: Heap Overrun in HTR Chunked Encoding Could Enable Web
Server Compromise (Q321599)
Released: 12 June 2002
Revised: 01 July 2002 (version 2.0)
Software: Internet Information Server
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-028

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-028.asp .

Reason for Revision:
====================
On June 12, 2002, Microsoft released the original version of this
bulletin. On July 1, 2002, the bulletin was updated to revise the
severity rating. Specifically, Microsoft has increased the severity
rating of this issue to "critical ." The revision is in response to a
significant change in the threat environment due to an increased
focus on chunked encoding vulnerabilities in general, and the
discovery of hostile code attempting to exploit similar
vulnerabilities on other platforms. Customers who have already
disabled HTR or applied this patch need not take any action.
Customers who have not disabled HTR should do so as soon as
possible. Alternately, customers who cannot disable HTR should
apply the patch immediately.

 

Per spy1's above posting: this does not affect users of Win 95/98/98se/XP. See below:

Thought it might be important to clarify who is affected by this. No disrespect intended.

 

so what else is new? Man I am happy this means nothing to me anymore. Just last month, this warning would have me up half the night.

On the other hand, there were some Apache security updates the other day as well...

Hmmm, .....can't win.....Oh wait! Nobody writes exploits for the commodore64 anymore right?

 

Lol. You'd be rather surprised.

Start using it for anything important, and I guarantee an exploit will be released/used within a short amount of time (such is the sad state of things).

If only businesses could worry about security first, and features last...

-javacool