IPS-1 Protection Update for WWW2 (Version 27)

• IPS-1

Microsoft IIS decodes Unicode character sets in a variety of ways. There is an uncommon way of creating Unicode characters in HTTP, which IIS (but no other known web servers) decode. It is in the form of percent-u-hexchar-hexchar-hexchar-hexchar.

The IPS-1 WWW2 protocol subsystem has been updated to take full advantage of the latest engine builtins to more properly handle some of the more esoteric Unicode evasion techniques (such as half-width/full-width encoding).

Microsoft IIS decodes Unicode character sets in a variety of ways. There is an uncommon way of creating Unicode characters in HTTP, which IIS (but no other known web servers) decode. It is in the form of percent-u-hexchar-hexchar-hexchar-hexchar.

The referenced character may be within the normal ASCII character set, and would be interpreted by the IIS server as such. Various intrusion detection systems will not appropriately decode this character into its native form, permitting attacks encoded in this manner to go undetected.

So-called "half-width" and "full-width" Unicode encoding schemesare recognized in the form of %uff[hex char][hexchar].