US Report: Microsoft warns of IIS security hole

Remote Data Service is installed by default when IIS 4.0 is implemented using the Microsoft Windows NT Option Pack. Microsoft's IIS development team discovered that a component of Remote Data Service, DataFactory, allows an intruder who has gained possession of a password and the name of a target database to submit a query to the database remotely and get results.

Microsoft aired the exposure to its IIS developers through a July 15 bulletin as part of its new Security Advisor Notification Service, which it began two weeks ago.

"Security issues will come up. It's important to get timely and accurate information" into the hands of customers, said Karan Khanna, Windows NT security product manager.

Khanna said no known cases have come up of malicious hackers exploiting the hole. In addition to subscribers to the notification service, the bulletin is posted at the Web site.

Microsoft also notified the Computer Emergency Response Team at Carnegie Mellon University and the Department of Energy.

The problem can be corrected when a systems administrator deletes three keys from the IIS server registry. Khanna termed the problem "a configuration issue, not a security issue," since no breaches have occurred. But he acknowledged that the hole is created inadvertently through installation of IIS 4.0 with the NT Option Pack, which installs DataFactory as a default means of remote access to databases. Any relational database accessed through the Open Database Connect set of drivers could be subject to an unauthorised query through DataFactory.

Khanna said such a move was unlikely because the intruder would have to gain legitimate passwords for the local site. But password-guessing dictionaries or common-password-guessing programs have been used at sites in the past to come up with a working password, as noted elsewhere on the Microsoft Security Advisor site.

Microsoft's Security Advisor Notification Service can be reached at www.microsoft.com/security