Bug gives hackers access to crash IIS Web servers on NT 
By Bob Trott and Maggie Biggs 
InfoWorld Electric 

  Posted at 3:45 PM PT, Jun 20, 1997 
  A bug in Microsoft's Internet Information Server (IIS) 3.0 can give malicious hackers an opportunity to bring the Web
  server crashing down. 

  The flaw, discovered by an Austin, Texas, computer consultant and duplicated by the InfoWorld Test Center, as well
  as an IIS team at Microsoft, occurs when a client machine running Netscape's Navigator 3.0 browser and Java 1.0.2
  sends a particular HTTP request to a remote IIS 3.0 server. 

  At Microsoft's request, InfoWorld chose not to print specific instructions on how to initiate the crash. 

  "Potentially, with this information you could go out and shut down a server pretty much at will," said Todd Fast, the
  consultant, who works at the Sterling Information Group. 

  Although the setup needed to cause the crash is very specific, a hacker could easily run it maliciously, Fast said. 

  The proof may have arrived very close to home for Microsoft. The weakness was apparently used to crash a server or
  two at Microsoft's own Web site, causing some dead links and missing pages since Thursday. 

  "It's really nothing more than a denial-of-service attack, but if you're running a Web-site storefront, that's pretty
  serious," Fast said. 

  Microsoft officials were unaware of the bug until Fast contacted them Thursday. They immediately began investigating it
  and working on a fix. They said a fix could be posted by the end of the day Friday. 

  "You'd have to be a malicious hacker trying to break down a site that had a very specific configuration," said Jonathan
  Parera, IIS group product manager at Microsoft. "It needs to be configured as both a RAD server and a Web server,
  which isn't that common." 

  "If there are bugs, we fix them as quickly as possible," Parera said. Microsoft also said that the bug only causes the
  server to crash. There is no loss of data. 

  The error is not evident to the client machine -- a typical "site contacted, waiting for reply" message is displayed -- but
  the IIS server receives a Dr. Watson memory error and subsequently is unable to process any other requests. 

  Using the specific combination of browser, Java, and IIS 3.0, the InfoWorld Test Center was able to repeatedly cause
  the IIS server to crash. Other attempts to reproduce the error with Internet Explorer, later versions of Java, and other
  combinations did not show the same problem. 

  Microsoft has not determined whether IIS 4.0, poised to go to beta testing in a few weeks, would be affected by the
  bug. 

  "If the problem manifests itself in any future product at Microsoft, we will have it corrected," said Mike Nash, NT
  product manager. Microsoft is working on a fix for the bug. The company already has dealt with IIS 3.0 bugs this year.

  In February, Microsoft patched a bug that let users view all the contents of an Active Server Page, including database
  passwords and other sensitive information. 

  Microsoft Corp., in Redmond, Wash., can be reached at http://www.microsoft.com/. 

                           Copyright © 1997 InfoWorld Publishing Company