Microsoft Patches Web Server Security FlawsMicrosoft Patches Web Server Security Flaws

Microsoft said Wednesday it has fixed 10 new vulnerabilities in its Internet Information Services software, the worst of which could enable an attacker's code to be run on a server. The vulnerabilities have been found in IIS 4, 5, and 5.1. Build versions 3605 and higher of .Net Server are already fixed.

Six of the 10 vulnerabilities are buffer overrun vulnerabilities, one of the most common application development flaws, experts say. In a buffer overrun, the amount of data sent to a buffer exceeds its capacity. Two of the vulnerabilities let attackers crash IIS, creating a denial-of-service attack. Yet another vulnerability, called cross-site scripting, allows hackers to use a Web link to get users to run a script on another server running IIS and bypass security settings of the original server.

Microsoft has deemed many of the vulnerabilities critical. More information can be found in Microsoft Security Bulletin MS02-018 at www.microsoft.com/technet/security. Patches are available.

Microsoft's IIS has been plagued with security problems. The Code Red and Nimda attacks were spread last year by exploiting IIS flaws.