Microsoft confirms new IIS Web server security flaw
May 21, 2009
On May 18, Microsoft confirmed that its Internet Information Services (IIS) Web-server software still contains a security flaw that could let attackers steal data and other content, but Microsoft downplayed the security threat.
"A potential hacker could exploit this security vulnerability by creating a specially crafted HTTP request to a Web site that requires authentication, and thereby gain unauthorized access to protected resources," Microsoft said in a security advisory issued late Monday night.
Earlier in the day, IT organizations including Cisco and the U.S. Computer Emergency Response Team (US-CERT) had warned that IIS 6 harbored a bug that a researcher claimed could be used to both view and upload files to IIS Web servers.
"However, only a specific IIS configuration is at risk from this vulnerability," Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), said in a post to the center's blog.
According to the software giant, the security hole affects IIS 6 servers where WebDAV (Web-based Distributed Authoring and Versioning), a set of extensions to HTTP used to share documents over the Internet.
WebDAV is also used in Microsoft Exchange 2003 to access inboxes through a browser.
Microsoft has also confirmed that the older IIS 5 and IIS 5.1 software is even more vulnerable. The newer IIS 7, which debuted alongside Windows Vista and is included in Windows Server 2008, is not affected, however.
The security bug was actually revealed May 13 in a message by security researcher Nikolaos Rangos on the Full Disclosure mailing list. Although Rangos said the flaw could be used to upload potentially malicious files, Luxembourg researcher Thierry Zoller said there was no way for an attacker to actually run malware planted on the server.
Ness echoed Zoller, with the caveat that Microsoft is still looking at the bug...
"What we have found is that the IIS installer applies an NTFS access control entry to explicitly deny write access to the anonymous account (IUSR_[MachineName]) in wwwroot and subdirectories that inherit wwwroot's ACL," he said. "So in the default case, this vulnerability will not allow a malicious attacker to upload or modify Web pages."
However, this newest security threat isn't related to the Code Red vulnerability.
Ness also ticked off four criteria that must be met to put a server at risk, and noted that "this vulnerability is primarily an information disclosure threat."
Rangos' security flaw can actually be traced as far back as 2001, the year that the "Code Red" worm slowed Windows-based networks to a crawl, said Zoller, who noted that eight years ago Microsoft fixed a path traversal bug in May 2001.
He added "its resemblance to the IIS Unicode flaw from 2001 was so similar that my jaw first dropped," he said in a blog entry last Saturday. "The bug discovered by Rangos seems to suffer from a similar logic mistake [as MS01-026]."
Later in 2001, Microsoft patched other IIS bugs, including the one exploited by Code Red.
Microsoft's Ness outlined several workarounds that users could take until a patch was available, including disabling WebDAV, in IIE 5, 5.1 and 6.
The company did not explicitly promise a patch, but its advisory included boilerplate language -- "Microsoft will take the appropriate action to help protect our customers -- that typically indicates a fix is forthcoming.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing