Millions of websites affected by unpatched flaw in Microsoft IIS 6 web server

An exploit for a zero-day vulnerability in Microsoft IIS 6.0 was published online, increasing the risk of attacks

IDG

IDG

A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used.

The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003.

Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.

There's evidence that this IIS vulnerability has been known by a limited number of attackers since at least July or August of last year. However, the publishing earlier this week of an exploit for it on GitHub makes it accessible to a larger number of hackers.

"Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code," researchers from Trend Micro said in a blog post Wednesday.

According to the exploit's authors, the vulnerability is a buffer overflow in the ScStoragePathFromUrl function of the IIS 6.0 WebDAV service. It can be exploited through a specially crafted PROPFIND request.

Web Distributed Authoring and Versioning (WebDAV) is an extension of the standard Hypertext Transfer Protocol (HTTP) that allows users to create, change and move documents on a server. The extension supports several request methods, including PROPFIND, which is used to retrieve the properties of a resource.

Since Microsoft won't patch this vulnerability, one possible mitigation is to disable the WebDAV service on IIS 6.0 installations. Security firm ACROS Security has also developed a free "micropatch" for this vulnerability -- an unofficial patch that can be applied without restarting the affected server or even IIS process.

However, the best course of action would be to migrate affected websites to a newer IIS and Windows Server version altogether, as there are probably other vulnerabilities out there that also affect this platform and won't get patched.

A March survey by web analytics firm Netcraft revealed that around 185 million websites are still hosted on over 300,000 web servers that run Windows Server 2003.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?