Microsoft confirms server vulnerability warning

Microsoft confirms server vulnerability warning

Summary: Microsoft has activated its security response process to deal with the release of a exploit code targeting an unpatched vulnerability affecting IIS 5.0 through 6.

SHARE:
20

Microsoft has activated its security response process to deal with the release of a exploit code targeting an unpatched vulnerability affecting IIS 5.0 through 6.0.

The company released a formal pre-patch advisory to acknowledge the vulnerability and offer mitigation guidance for customers.

Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports.

Affected Software:

  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 6.0

Microsoft's advisory comes just days after a hacker known as "Kingcope" published details of the vulnerability (.PDF) on several mailing lists.

Thierry Zoller has been maintaining detailed notes on this issue:

  1. Webdav is not enabled by default on IIS6, IIS7 + Webdav is not affected
  2. IIS 5 and IIS 5.1 are also affected.
  3. Enabling Webdav applies to all websites and doesn't have to be enabled per site.
  4. You can actually upload content to the web server, if the IUSR_anonymous has write access to webdav folders. (To any other folder if the account has write access to other folders)
  5. This seems to have a similar (root cause) then the 2001 Unicode IIS4/5 bug , but not exactly the same
  6. "Translate:f" is required for GET requests, PROPFIND works without the translate option.

Topics: Microsoft, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • yet another reason to use Vista

    Vista and Windows Server 2008 are not affected.
    qmlscycrajg
    • Did you even read the article...

      It effects IIS regardless of the version of windows, and only if WebDav is enable, which it is not by default.

      It does not affect IIS v 7.0 Which you are only right in the terms that 2008 runs version 7 by default.

      Your comment merely disregards the fact that not all organizations are in a position to migrate their servers over to 2008. There are several reasons to go to 2008, but it isn't always prudent to just make the jump with out appropriate testing, planning, and verification that it won't seriously break something within the environment.

      Do you make out of hand comments like this to your CIO? If you do it is surprisingly shocking if you haven't had an RGE...
      xXSpeedzXx
      • Not to mention

        Skipping a generation on Server OS is usually a very cost effective way to do business. Most companies that have a web-facing Windows server are going to be running 2003 R2, as the reduced attack surface in R2 combined with the quick and easy nature of the upgrade made it a very attractive upgrade. 2008 is great but a major change and probably not enough to convince people to leave 2003 R2 behind for the sake of upgrade. Which looks like it will pay off since 2008 R2 will be out by year end and has a ton of improvements over 2008.
        LiquidLearner
    • Yes it does seem to be an after the fact idea.

      But the dedicated server is so necessary with todays networks; even at home it is timely to stay put with what is in the know. Like SQL and XP SP3. I liked SP2 better as a home user because improper shut downs on SP3 need network reboot; that is all I have to say about the internet is: ditto.
      Gillman_Zorgam
  • RE: Microsoft confirms server vulnerability warning

    Did I read the article. I was the first one to post here & my message was deleted. Well anyway, like I said earlier, I read about this before it was news here. Difference is that now Microsoft is finally owning up to this. I wonder if the children here who deleted my post will now own up to this.
    Intellihence
    • I doubt it was deleted

      It most likely was never fully posted. As when a post is deleted, it says "This post has been removed".
      Stuka
      • It could have been...

        After all, there have been times when zdnet have fully removed posts (as in you can see no trace of them) not just left them flagged as removed/deleted.
        zkiwi
        • Like what I posted below,,,

          read the post below, that is if they haven't removed it.
          Intellihence
        • Removed posts

          I have had posts completely removed, with no trace at all, from 2 seperate ZDnet Talkbacks, twice, in the last few weeks. I had bookmarked these posts so I know they had been posted completely.

          ZDnet do themselves no favours at all by editing non-offensive crticism, it's probably just a coincidence that in each case the criticism was levelled at one of their major advertising cash cows. It's a sad day when $$$ give a corporation editorial say so in what is trumpeted as a "public" Talkback.
          whisperycat
    • It's right here where it's always been:

      http://talkback.zdnet.com/5208-9595-0.html?forumID=1&threadID=64716&messageID=1204458

      [i]I wonder if the children here who deleted my post will now own up to this.[/i]

      The question is will you apologize for your mistake?
      ye
      • Before that one to ye

        aight
        Intellihence
  • Gee, where are all the Redmond fanboys at?

    Why aren't they here defending the indefensible?

    lol... :D
    Wintel BSOD
    • Maybe Because...

      Its unrealistic to think that theres a piece of software out there that deals with networking that does not have flaws. Lets be realistic. Hackers are very creative! Didnt MacOS have a bunch of vulnerabilities patched? Doesnt Ubuntu have patches released for it? I promise you Windows 7 will have patches. So all you little fanbois out there expecting perfection, code your own networking software. Good luck!!
      GameOvR
      • Oh there's one

        He finally showed up!

        lol... :D
        Wintel BSOD
  • Ball State University still floored by this Microsoft drop-off

    Calling LoveRock, Ye and the usual suspects ..... tumbleweed ..... calling Ye ...... calling Loverock ..... oh dear, reality can be SO painful. You can always tell when reality is painful - "Microsoft declined to comment".


    http://www.theregister.co.uk/2009/05/20/iis_bug_fells_university_server/
    Hackers have wasted no time targeting a gaping hole in Microsoft's Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday.

    As of Wednesday morning California time, iWeb accounts at the Muncie, Indiana-based university remained inaccessible and service wasn't expected to be restored until Thursday or Friday, Patty Lucas, a senior help desk support admin for Ball State's Computing Services said. University administrators were working with Microsoft employees to investigate and fix the break in.

    Microsoft declined to comment.
    whisperycat
    • Yawn.

      The Register's story suggested that the server was mis-configured. I betcha even Apache is hacked when it is mis-configured.
      PMC-CON
      • You can make things up, but expect to get called out...

        There was no mention anywhere in the article that anything was mis-configured. Let's repeat that in case you weren't paying attention...your assertion that the story suggested that the server was mis-configured was nothing but a bold faced lie. There was no mention anywhere about the server being misconfigured. What there was, however, was Microsoft's version of Baghdad Bob out there claiming that they see no attacks out there in the wild trying to use this vulnerability. You can bet all you want that Apache can be hacked when it is misconfigured, but I'll double down on a bet that you can't point to where anyone in the Register's story even hinted at a mis-configured server.
        jasonp@...
  • It's not a vuln, it's an EXPLOIT

    Why do you constantly inflate any potential vulns for Mac OS
    X and at the same time downplay actual EXPLOITS for
    WIndows?

    Oh, right, because of your bias.
    comp_indiana
  • RE: Microsoft confirms server vulnerability warning

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut