CVE-1999-0910 is a medium-severity vulnerability affecting Microsoft Site Server and Commercial Internet System (MCIS) versions 2.0, 2.5, and 3.0. The core issue arises because these products do not set an expiration attribute on cookies they generate. Without an explicit expiration, cookies are treated as session cookies by browsers but can be cached indefinitely by intermediary proxy servers. This behavior can lead to a security risk where a cached cookie is inadvertently reused by a different user accessing the same proxy, potentially allowing unauthorized access or session hijacking. The vulnerability is network exploitable without authentication (AV:N/AC:L/Au:N) and impacts confidentiality (C:P) but does not affect integrity or availability. Since the cookies can be cached and reused, sensitive session information or authentication tokens could be leaked to unintended users, compromising user privacy and security. Microsoft has released patches addressing this issue, which involve setting proper cookie expiration attributes to prevent proxy caching. No known exploits have been reported in the wild, but the vulnerability remains relevant for legacy systems still running these versions of MCIS or Site Server. The vulnerability was published in 1999 and has a CVSS v2 score of 5.0, reflecting a medium risk level.

For European organizations, the impact of this vulnerability primarily concerns confidentiality breaches due to cookie reuse via proxy caching. Organizations using legacy Microsoft Site Server or MCIS versions in their web infrastructure risk unauthorized access to user sessions or sensitive information if proxies cache session cookies. This can lead to data leakage, privacy violations under GDPR, and potential reputational damage. Although modern web architectures and browsers have largely mitigated such risks, any remaining legacy deployments in sectors such as government, education, or industries relying on older Microsoft web products could be vulnerable. The risk is exacerbated in environments with shared proxy servers or where multiple users access the internet through common caching proxies. Since the vulnerability does not affect integrity or availability, the primary concern is unauthorized disclosure of information. The absence of known exploits reduces immediate risk, but unpatched systems remain susceptible to targeted attacks or insider threats leveraging cached cookies.

European organizations should first identify any legacy deployments of Microsoft Site Server or MCIS versions 2.0, 2.5, or 3.0 within their infrastructure. Immediate mitigation involves applying the official Microsoft security patch MS99-035, which sets appropriate cookie expiration attributes to prevent proxy caching. If patching is not feasible, organizations should configure proxy servers to disable caching of cookies or sensitive HTTP headers, ensuring that session cookies are never stored or reused. Additionally, implementing strict HTTP headers such as 'Cache-Control: no-store' and 'Pragma: no-cache' can help prevent caching at intermediaries. Network segmentation and limiting access to legacy systems can reduce exposure. Monitoring proxy logs for unusual cookie reuse patterns may help detect exploitation attempts. Finally, organizations should plan to upgrade legacy web infrastructure to supported, modern platforms that follow current security best practices for session management.