Microsoft confirms serious IIS bug, downplays threat

'Only a specific IIS configuration is at risk,' company says

Microsoft late Monday confirmed that its Internet Information Services (IIS) Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat.

"An attacker could exploit the vulnerability by creating a specially crafted HTTP request to a Web site that requires authentication, and thereby gain unauthorized access to protected resources," Microsoft said in a security advisory issued Monday night.

"[But] only a specific IIS configuration is at risk from this vulnerability," Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), said in a post to the center's blog.

Earlier in the day, security organizations, including Cisco and the U.S. Computer Emergency Response Team (US-CERT) had warned that IIS 6 harbored a bug that a researcher claimed could be used to both view and upload files to Web servers.

According to Microsoft, the flaw affects IIS 6 servers where WebDAV (Web-based Distributed Authoring and Versioning), a set of extensions to HTTP used to share documents over the Web. WebDAV is also used in Microsoft Exchange 2003 to access inboxes through a browser.

Microsoft also confirmed that the older IIS 5 and IIS 5.1 software is vulnerable; The newer IIS 7, which debuted alongside Windows Vista and is included in Windows Server 2008, is not affected, however.

The vulnerability was revealed last week in a message by security researcher Nikolaos Rangos on the Full Disclosure mailing list. Although Rangos said the bug could be used to upload potentially malicious files, Belgian researcher Thierry Zoller said there was no way for an attacker to actually run malware planted on the server.

Ness echoed Zoller, with the caveat that Microsoft is still looking at the bug. "What we have found is that the IIS installer applies an NTFS access control entry to explicitly deny write access to the anonymous account (IUSR_[MachineName]) in wwwroot and subdirectories that inherit wwwroot's ACL," he said. "So in the default case, this vulnerability will not allow a malicious attacker to upload or modify Web pages."

He also ticked off four criteria that must be met to put a server at risk, and noted that "this vulnerability is primarily an information disclosure threat."

Rangos' bug can be traced to 2001, the year that the "Code Red" worm slowed Windows-based networks to a crawl, said Zoller, who noted that eight years ago Microsoft patched a path traversal bug in May 2001. "Its resemblance to the IIS Unicode flaw from 2001 was so similar that my jaw first dropped," he said in a blog entry last Saturday. "The bug discovered by Rangos seems to suffer from a similar logic mistake [as MS01-026. Later that year, Microsoft patched other IIS bugs, including the one exploited by Code Red.

This newest flaw, however, is not related to the Code Red vulnerability.

Microsoft's Ness outlined several workarounds that users could take until a patch was available, including disabling WebDAV, in IIE 5, 5.1 and 6. The company did not explicitly promise a patch, but its advisory included boilerplate language -- "Microsoft will take the appropriate action to help protect our customers -- that typically indicates a fix is forthcoming.

The next regularly-scheduled Microsoft patch day is June 9, three weeks from today.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags iiswebdavserversMicrosoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?