Check your speedThis patch eliminates a security vulnerability in Microsoft Internet Information server that would allow a malicious user to hijack another user's secure Web session under a very restricted set of circumstances.
IIS supports the use of a session ID cookie to track the current session identifier for a Web session. However, ASP in IIS does not support the creation of secure session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same Web site use the same session ID. If a user initiated a session with a secure Web page, a session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take.
The conditions under which this vulnerability could be exploited are rather daunting. The malicious user would need to have complete control over the other user's communications with the Web site. Even then, the malicious user could not make the initial connection to the secure page; only the legitimate user could do that. The patch eliminates the vulnerability by adding support for secure session ID cookies in ASP pages. (Secure cookies already are supported for all other types of cookies, under all other technologies in IIS).
See the FAQ for more information.
Did you find this download useful?
27 out of 50 users found this download useful
People who downloaded this software also downloaded...
Active WebCam Deluxe 11.3
Broadcast MPEG-4 live video from your Webcam up to 30 frames per second.
Hitware Popup Killer Lite 3.1.1
Get rid of annoying pop-ups appearing as browser windows and Messenger Service dialogs.
Super Ad Blocker 4.6
Block all forms of advertising, including pop-ups, Flash ads, and banner ads.
Ultra Ad Killer 1.31
Block various kinds of pop-ups and erase the tracks of your Internet activities.
Access Manager 9.1
Control Internet and computer usage and restrict access to Windows' key features.
Advanced Internet Kiosk 6.22
Create Internet kiosks, public access PCs, or in-store terminals.
Locus Screen 2006 Professional 2.1
Monitor and block unauthorized process execution and modification of files.
