Microsoft confirms serious IIS bug, downplays threat
Microsoft late Monday confirmed that its Internet Information Services (IIS) Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat.
"An attacker could exploit the vulnerability by creating a specially crafted HTTP request to a Web site that requires authentication, and thereby gain unauthorized access to protected resources," Microsoft said in a security advisory issued Monday night.
"[But] only a specific IIS configuration is at risk from this vulnerability," Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), said in a post to the center's blog.
Earlier in the day, security organizations, including Cisco and the U.S. Computer Emergency Response Team (US-CERT) had warned that IIS 6 harbored a bug that a researcher claimed could be used to both view and upload files to Web servers.
According to Microsoft, the flaw affects IIS 6 servers where WebDAV (Web-based Distributed Authoring and Versioning), a set of extensions to HTTP used to share documents over the Web. WebDAV is also used in Microsoft Exchange 2003 to access inboxes through a browser.
Microsoft also confirmed that the older IIS 5 and IIS 5.1 software is vulnerable; The newer IIS 7, which debuted alongside Windows Vista and is included in Windows Server 2008, is not affected, however.
The vulnerability was revealed last week in a message by security researcher Nikolaos Rangos on the Full Disclosure mailing list. Although Rangos said the bug could be used to upload potentially malicious files, Belgian researcher Thierry Zoller said there was no way for an attacker to actually run malware planted on the server.
Ness echoed Zoller, with the caveat that Microsoft is still looking at the bug. "What we have found is that the IIS installer applies an NTFS access control entry to explicitly deny write access to the anonymous account (IUSR_[MachineName]) in wwwroot and subdirectories that inherit wwwroot's ACL," he said. "So in the default case, this vulnerability will not allow a malicious attacker to upload or modify Web pages."
He also ticked off four criteria that must be met to put a server at risk, and noted that "this vulnerability is primarily an information disclosure threat."
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
iis
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
