Security 10816 Published by

On October 23, 2000, Microsoft released the original version of this
bulletin, to discuss the availability of a patch that eliminates a
security vulnerability in Microsoft(r) Internet Information Server.
The vulnerability could allow a malicious user to "hijack" another
user´s secure web session, under a very restricted set of
circumstances.

On November 20, 2000, we re-released the bulletin to advise customers
using IIS 4.0 on Alpha platforms, or IIS 5.0 on x86 platforms, that
new versions of these patch are available, to correct an error in the
original version of the patch. The x86 IIS 4.0 patch was not affected
by the error, and customers using these systems do not need to take
any action.

Frequently asked questions regarding this vulnerability and
the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-080.asp

Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0

Patch Availability
==================
- IIS 4.0:
x86 platforms:
http://www.microsoft.com/ntserver/nts/downloads/critical/q274149
Alpha platforms:
Available from Microsoft Product Support Services
- IIS 5.0:
http://www.microsoft.com/Windows2000/downloads/critical/q274149

Note: The patch installs support for secure Session ID cookies, but
does not enable it for reasons of application compatibility. As
discussed in the Knowledge Base article, it can be enabled or
disabled on a site-by-site basis.