SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Services Memory Allocation Error Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1024079
SecurityTracker URL:  http://securitytracker.com/id/1024079
CVE Reference:   CVE-2010-1256   (Links to External Site)
Date:  Jun 8 2010
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0, 7.0, 7.5
Description:   A vulnerability was reported in Microsoft Internet Information Services. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted authentication data to trigger a memory allocation error and execute arbitrary code on the target system. The code will run with the privileges of the Worker Process Identity (WPI).

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   The vendor has issued the following fixes:

Windows Server 2003 Service Pack 2, Internet Information Services 6.0:

http://www.microsoft.com/downloads/details.aspx?familyid=0761C207-5465-4F42-B61F-BD02EFCEF27D

Windows Server 2003 x64 Edition Service Pack 2, Internet Information Services 6.0:

http://www.microsoft.com/downloads/details.aspx?familyid=023572FF-CE5D-4428-A96B-1245DB6FF312

Windows Server 2003 with SP2 for Itanium-based Systems, Internet Information Services 6.0:

http://www.microsoft.com/downloads/details.aspx?familyid=F1F3E524-8AC6-4210-A3A8-4FFC58A606EA

Windows Vista Service Pack 1 and Windows Vista Service Pack 2, Internet Information Services 7.0:

http://www.microsoft.com/downloads/details.aspx?familyid=01382926-2313-4769-A0A5-262C4F9F18A1

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2, Internet Information Services 7.0:

http://www.microsoft.com/downloads/details.aspx?familyid=7FB6F2B8-C7A6-4239-99F3-CF3AACF89B0F

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2, Internet Information Services 7.0:

http://www.microsoft.com/downloads/details.aspx?familyid=84A54246-5D9E-49E2-8170-AF48B43F984D

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2, Internet Information Services 7.0:

http://www.microsoft.com/downloads/details.aspx?familyid=38286E43-89A6-4895-8FF9-69452DF38706

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2, Internet Information Services 7.0:

http://www.microsoft.com/downloads/details.aspx?familyid=8AD19EBA-9821-48B4-A942-4EE4F002F913

Windows 7 for 32-bit Systems, Internet Information Services 7.5:

http://www.microsoft.com/downloads/details.aspx?familyid=588167CB-F62A-4FB8-8A18-AC15DC322495

Windows 7 for x64-based Systems, Internet Information Services 7.5:

http://www.microsoft.com/downloads/details.aspx?familyid=1C45D0C8-1629-470B-8167-C6BF66054595

Windows Server 2008 R2 for x64-based Systems, Internet Information Services 7.5:

http://www.microsoft.com/downloads/details.aspx?familyid=5D9B7705-6280-4D2E-94FA-3160B3CE5CFA

Windows Server 2008 R2 for Itanium-based Systems, Internet Information Services 7.5:

http://www.microsoft.com/downloads/details.aspx?familyid=869E900A-0063-4D8B-9B7C-7D12F6BE12CD

A restart may be required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms10-040.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms10-040.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (2003), Windows (2008), Windows (7), Windows (Vista)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC