News

Microsoft Warns of Bug in IIS Server, Yet Again

For the second time this year, Microsoft issued a security advisory for possible vulnerabilities in its Internet Information Services (IIS) Web server software.

Prior to the advisory's release on Tuesday, Redmond had said that IIS 5.0 and IIS 6.0 could be affected. In those versions of the software, the File Transfer Protocol (FTP) service may be porous enough to allow incursions. In Tuesday's announcement, the software giant stated that IIS 5.0, 5.1 and 6.0 could all be affected by "publicly disclosed vulnerabilities."

Such bugs, Microsoft said, "could allow remote code execution on affected systems that are running the FTP service and are connected to the Internet."

Vulnerabilities affecting IIS have been seen before. In May, Redmond issued a security advisory to address holes in IIS versions 5.0, 5.1 and 6.0. The software giant at the time said that it wasn't aware of any "known attacks" against IIS (as with this release), but that it was looking into the matter.

Tuesday's security advisory comes just after proof-of-concept code was released on the Milw0rm exploit discussion portal. According to Milw0rm, the bugs exploit holes in IIS 5.0 and 6.0 running on Windows 2000, enabling a remote code execution exploit via a stack overflow.

Microsoft issued this security advisory to address not just Windows 2000, but also XP, Vista, Windows Server 2003, Windows Server 2008 and even Windows 7.

Repeat Performance
IIS is among the world's most frequently used Web server applications, second only to the Apache HTTP server. Redmond has tried to address the threats in various ways. 

About this time last year, Microsoft released the Web version of a tool called UrlScan 3.0, a complement to IIS that tracks and authenticates HTTP server requests, potentially blocking malicious code. Apparently hackers have studied this tool and have figured out a way to circumvent its effectiveness.

The problem has become so pervasive that as a follow up to its own advisory in May, the U.S. Computer Emergency Readiness Team issued another advisory this week saying that it "encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability." U.S. CERT added that "a proper impact analysis should be performed prior to taking defensive measures."

Security pros are taking notice as well.

"A workaround would be to set permissions on the FTP server to 'not allow' a remote user to create a directory on the FTP server," said Paul Henry, security and forensic analyst at Lumension.

Previous workarounds presented by Microsoft include making recommendations that system administrators maintain file system access control lists (ACLs) that are solid and enforceable. With a clamp-down on access control security, the elevation of privilege problem is lessened.

However security specialists and observers are still awaiting another patch for IIS, especially since Microsoft found it important enough to issue a formal advisory.

"The [exploits] can easily be automated by combining with a scanning tool and we will see an increase in scanning for open FTP ports soon," said Wolfgang Kandek, chief technology officer at Qualys. "In addition to running IIS, vulnerable FTP servers also have to allow write access. This cuts down on the number of potential targets, but unfortunately even anonymous write access is good enough to make the server vulnerable."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube