Microsoft Warns of Bug in IIS Server, Yet Again

• By Jabulani Leffall
• 09/03/09

For the second time this year, Microsoft issued a security advisory for possible vulnerabilities in its Internet Information Services (IIS) Web server software.

Prior to the advisory's release Tuesday, Redmond had said that IIS 5.0 and IIS 6.0 could be affected. In those versions of the software, the File Transfer Protocol (FTP) service may be porous enough to allow incursions. In Tuesday's announcement, the software giant stated that IIS 5.0, 5.1 and 6.0 could all be affected by "publicly disclosed vulnerabilities."

Such bugs, Microsoft said, "could allow remote code execution on affected systems that are running the FTP service and are connected to the Internet."

Vulnerabilities affecting IIS have been seen before. In May, Redmond issued a security advisory to address holes in IIS versions 5.0, 5.1 and 6.0. The software giant at the time said that it wasn't aware of any "known attacks" against IIS (as with this release), but that it was looking into the matter.

Tuesday's security advisory comes just after proof-of-concept code was released on the Milw0rm exploit discussion portal. According to Milw0rm, the bugs exploit holes in IIS 5.0 and 6.0 running on Windows 2000, enabling a remote code execution exploit via a stack overflow.

Microsoft issued this security advisory to address not just Windows 2000, but also XP, Vista, Windows Server 2003, Windows Server 2008 and even Windows 7.

IIS is among the world's most frequently used Web server applications, second only to the Apache HTTP server. Redmond has tried to address the threats in various ways.

About this time last year, Microsoft released the Web version of a tool called UrlScan 3.0, a complement to IIS that tracks and authenticates HTTP server requests, potentially blocking malicious code. Apparently hackers have studied this tool and have figured out a way to circumvent its effectiveness.

The problem has become so pervasive that as a follow up to its own advisory in May, the United States Computer Emergency Readiness Team issued another advisory this week saying that it "encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability." U.S. CERT added that "a proper impact analysis should be performed prior to taking defensive measures."

Security pros are taking notice as well.

"A workaround would be to set permissions on the FTP server to 'not allow' a remote user to create a directory on the FTP server," said Paul Henry, security and forensic analyst at Lumension.

Previous workarounds presented by Microsoft include making recommendations that system administrators maintain file system access control lists (ACLs) that are solid and enforceable. With a clamp-down on access control security, the elevation of privilege problem is lessened.

However security specialists and observers are still awaiting another patch for IIS, especially since Microsoft found it important enough to issue a formal advisory.

"The [exploits] can easily be automated by combining with a scanning tool and we will see an increase in scanning for open FTP ports soon," said Wolfgang Kandek, chief technology officer at Qualys. "In addition to running IIS, vulnerable FTP servers also have to allow write access. This cuts down on the number of potential targets, but unfortunately even anonymous write access is good enough to make the server vulnerable."