Microsoft: IIS 6.0 Has 'Inconsistencies,' but No Bug

Microsoft denied that its Internet Information Services (IIS) Web server software is subject to new-found security vulnerability.

The bug was first reported to Microsoft Dec. 23, but Microsoft closed the investigation last week claiming that the potential problem isn't a vulnerability. Microsoft spokesperson Christopher Budd said in a Dec. 29 blog that there are some "inconsistencies" with IIS version 6.0, but no "new" exploits.

Details of the so-called vulnerability first surfaced Christmas Day when security researcher Soroush Dalili posted findings on his personal blog. Dalili's assertion gained credence from third-party security company Secunia, which last updated its own findings Dec. 30.

Secunia explained that the IIS problem results from the Web server "incorrectly executing Active Server Page code in files with extensions separated by semicolons (e.g. 'file.asp;.jpg')." The security firm explained that this IIS bug "can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types."

This discovery marked the third time in 2009 that IIS bugs or glitches have been identified. Microsoft's security researchers disagreed, saying that the exploit could only happen if the server was misconfigured to have both write and execute privileges, contrary to IIS 6.0 best practices for security. Budd suggested that Microsoft is considering changing IIS 6.0 to make its functionality more "in line with the other versions" of the Web server software.

"What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs," Budd said in his post. "It's this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server."

Dalili and Secunia explained the issue differently, saying that the real problem is that IIS can execute any extension as ASP code.

"By using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server," Dalili said in his post.

Budd suggested users should review Microsoft's best practices for IIS 6.0 security, particularly if the Web server is configured with both write and execute privileges on the same directory.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • tutors helping young students with laptops against a vibrant abstract background

    K12 Tutoring Earns ESSA Level II Validation

    Online tutoring service K12 Tutoring recently announced that it has received Level II validation underneath the Every Student Succeeds Act (ESSA). The independently validated study provides evidence of K12 Tutoring's role in creating positive student outcomes through effective academic intervention and research-based solutions.

  • pattern of icons for math and reading, including a pi symbol, calculator, and open book

    HMH Launches Personalized Path Solution

    Adaptive learning company HMH has introduced HMH Personalized Path, a K-8 ELA and math product that combines intervention curriculum, adaptive practice, and assessment for students of all achievement levels.

  • computer science classroom featuring a desktop setup with code on the screen, a large wall display with charts, and a labeled book on a clean desk

    McGraw Hill Expands CTE Offerings

    Education company McGraw Hill has announced a host of new career and technical education courses, designed to help learners gain professional, technical, and academic skills for workforce success.

  • DreamBox Math

    Discovery Education Announces Updates to Experience, DreamBox Math

    K-12 learning solution provider Discovery Education has announced enhancements to its Discovery Education Experience and DreamBox Math products, designed to create a more personalized, engaging learning experience for students.