This morning, we released Microsoft Security Bulletin MS99-029, discussing the availability of a patch for the "Malformed HTTP Request Header" vulnerability. However, we have discovered that the patch package contains a regression error. As a result, we have removed the patch from our download site. We are very sorry for any inconvenience that this problem may have caused. We are working to correct the error and will re-release the patch in a few days. In meantime, here are the basic details: * The error lies in how IIS log files are processed. If writing a log record caused the size of the log file to be an exact multiple of 64KB, the server would hang. * An affected server could be put back into service by killing the IIS process, copying the log file to a safe location, erasing the working copy, and restarting the IIS service. * If you have not installed the patch, we recommend that you do not do so until the new version is ready. * If you have installed the patch, we do not recommend attempting to back it out. The conditions under which error occurs are fairly rare, and we intend to deliver a new version of the patch very quickly. We recommend that you be alert to the possibility of the error, but take no other action. We will post full details as part of the security bulletin (http://www.microsoft.com/security/bulletins/ms99-029.asp) within the hour, and will send the information to customers who have subscribed to the Microsoft Product Notification Service (http://www.microsoft.com/security/services/bulletin.asp). When the new patch is available, we will re-release the bulletin. Regards, [EMAIL PROTECTED]
Retraction of Patch for "Malformed HTTP Request Header" Security Vulnerability
Microsoft Product Security Response Team Fri, 13 Aug 1999 12:28:07 -0700