- home
- reviews
- news
- downloads
- cnet tv
HOLIDAY HELP DESK: Broadcasting live at 1:00 p.m., PT
- log in
- join CNET
- welcome,
- my profile
- log out

Microsoft IIS4 "Session ID Cookie Marking" Vulnerability Patch (MS00-080)

Quick specs
Price: Free
Operating system:
Date added: October 25, 2000
Total Downloads: 1,805
Downloads last week: 1
See full specifications

Add to my list Add to my Watch List

Download Now (2.63MB)

Tested spyware free

Average user rating: 5.0 stars out of 1 votes
See all user reviews

Publisher's description

From Microsoft :

This patch eliminates a security vulnerability in Microsoft Internet Information server that would allow a malicious user to hijack another user's secure Web session under a very restricted set of circumstances.

IIS supports the use of a session ID cookie to track the current session identifier for a Web session. However, ASP in IIS does not support the creation of secure session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same Web site use the same session ID. If a user initiated a session with a secure Web page, a session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take.

The conditions under which this vulnerability could be exploited are rather daunting. The malicious user would need to have complete control over the other user's communications with the Web site. Even then, the malicious user could not make the initial connection to the secure page; only the legitimate user could do that. The patch eliminates the vulnerability by adding support for secure session ID cookies in ASP pages. (Secure cookies already are supported for all other types of cookies, under all other technologies in IIS).

See the FAQ for more information.

Help Secure Exchange

Free trial of Forefront Protection 2010 for Exchange Server

Download Now

More popular Corporate Security Software downloads

2,172 downloads 1. Folder Guard
896 downloads 2. L0phtCrack
737 downloads 3. McAfee Total Protection for Small Business
652 downloads 4. Spyware Doctor Enterprise Free Edition
363 downloads 5. Wireshark
See all Corporate Security Software downloads

BounceBack Ultimate

Continuous Data Protection.

Download Now

User reviews

Write your own review Be the first one to review Microsoft IIS4 "Session ID Cookie Marking" Vulnerability Patch (MS00-080) and share your experience with the CNET community!
Previous versions: See all user reviews

Submit your review

Microsoft IIS4 "Session ID Cookie Marking" Vulnerability Patch (MS00-080)

ORLog in with your Facebook account

1. Rate this product:: (Mouse over the stars to rate this product and click to set your rating.)
2. One-line summary:(Summarize your review in one line. 10 characters minimum; required.): 0 of 55 characters
3. Pros:(Tell us what you like about this product. 10 characters minimum; required.): 0 of 250 characters
4. Cons:(Tell us what you don't like about this product. 10 characters minimum; required.): 0 of 250 characters
Bottom-line summary:(Explain to us in detail why you like or dislike the product, focusing your comments on the product's features and functionality, and your experience using the product. This field is optional.): 0 of 5000 characters; Submit