News

After Code Released, MS to Patch IIS Bug

Company confirms that IIS 5 and IIS 6 are affected by new attack.

By Robert McMillan

September 02, 2009 — IDG News Service —

One day after a security researcher published attack code for a flaw in Microsoft's IIS server software, Microsoft said it plans to patch the issue.

Microsoft also released a security advisory describing the problem and detailing technical workarounds that system administrators can implement while they're waiting for a patch. "Were currently investigating the issue... and working to develop a security update," Microsoft said in a note on its Web site. " This update will be released once it reaches an appropriate level of quality for broad distribution."

Microsoft's next set of security patches is due Sept. 8. It's not clear if the company will be able to develop and test its IIS (Internet Information Services) patch in time for that update, however.

The attack code was published Monday by Nikolaos Rangos, who said he did not notify the software company of the issue ahead of time. Rangos's attack is considered to be very reliable on IIS 5 systems and could be used to run unauthorized software on the server.

The flaw lies in the FTP (File Transfer Protocol) software used by IIS, and is considered to be a critical issue for users of the older IIS 5 product. IIS 6 users are also affected, but they are at reduced risk because of the way IIS 6 was compiled, Microsoft said in its advisory. "This does not remove the vulnerability but does make exploitation of the vulnerability more difficult."

Users who are using the more-recent IIS 7 or who are not running the FTP service are not affected, Microsoft said.

Even for IIS 5 and 6 users, there's another mitigating factor: "Affected systems are not vulnerable unless untrusted FTP users are granted write access. By default, FTP users are not granted write access," Microsoft said.

Although nobody has yet reported real-world attacks using Rangos's code, security vendor Symantec said Tuesday that "many systems will be vulnerable across the internet and that in-the-wild attacks will occur."

Another security company, Secunia, rates the flaw "moderately critical."

Last May, Web analytics firm Netcraft counted 2.8 million sites still using the IIS 5 software, but it's not clear how many of them would have the FTP set-up that would make them vulnerable to this attack.

Other stories by Robert McMillan

Copyright 2009 IDG News Service, International Data Group Inc. All rights reserved.

Microsoft

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors