Microsoft debunks IIS vulnerability claims
Summary
Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.
Topics
Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.
In a blog post on Tuesday, the company said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content-filtering software to upload and execute code on an IIS server. The company found "no vulnerability" in IIS.
Security researcher Soroush Dalili highlighted the issue on Christmas Day in a research paper released via his website, describing the impact as "highly critical for web applications".
For more on this story, read "Microsoft debunks IIS vulnerability claims" on ZDNet Asia.
Talkback Most Recent of 14 Talkback(s)
-
Soroush knew about this problem in April 2008!
Someone asked him why it took so long to disclose it - apparantly he has been so busy doing his degree he didn't have time - that is one busy person! How long does it take to write an email! Also why wait until Christmas Day? Why not disclose it responsibily? Just sounds like another idiot trying to make a name for himself.
planruse30th Dec 2009 -
Seems like this should squash it.
and I see this as setup requirement for uploads
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
Remove ?execute? permission from the upload directories (folders).
mrlinux30th Dec 2009 -
Doh!
" Remove ?execute? permission from the upload directories (folders). "
Indeed. This seems to be an application problem - like the popular SQL injections. An
application accepts a file with a funky name and uses it for the file name on the
server . At the same time the server has assigned execute scripts permission on the
****** upload directory?
It should be self-evident, but even so it has also been mentioned in the security best-
practices for IIS:
Do not assign Write and Script source access permissions or Scripts and Executables
permissions. Use this combination with extreme caution. It can allow a user to upload
potentially harmful executable files to your server and run them. For more information, see
Securing Sites with Web Site Permissions.
(http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx)
honeymonster30th Dec 2009 -
mistake by sysadmin
it just tells you a lot about this Suresh guy. Somebody (read "sysadmin") must've assigned execute permissions to to this folder. Yeah, let's assign random permission to the key directories on your website and see what kind of funky stuff will happen and write about it as if it is the greatest news in the world.
pupkin_z2nd Jan 2010 -
Insecure permissions
Shouldn't Microsoft have made it impossible to set certain permissions, as a security precaution? (Or would that make the software un-usable?) I am not a professional in this area, so I don't know if my question makes sense...
barence7733rd Jan 2010 -
Disallowing executable writable
Would definitively be too restrictive. Maybe
they should warn about it in the GUI - as a
best practice warning. But outright preventing
it would break too many legitimate uses.
Yes - there are probably legitimate reasons for
allowing it. A very dynamic CMS comes to mind.
There is actually something of a bug in IIS6:
If you request a file called "Attack.ASP;.jpeg"
- IIS6 may see this as "Attack.ASP" and
disregard the extra letters. This will cause it
to treat it as an ASP file - and execute the
script inside. Now, if the developer has coded
validation to ensure that only .jpeg files are
uploaded this may be a way to sneak by
executable scripts.
The "controversy" here is more on the severity
rating than whether there is a bug or not.
There is a bug - it is just not very likely
that many websites have been coded (and set up)
in such a way that they are vulnerable to this.honeymonster3rd Jan 2010 -
Good point, but might I add...
...if you want to upload only JPEG files, the web developer should not make that same directory capable of running scripts, and should always validate for legit file specs anyway (injection issues). I agree with you that this may be "something of a bug", but very minor indeed.
I do think that articles like this help web developers think about the importance of site setup.
batpox4th Jan 2010 -
Your security (internet or otherwise)
is directly dependant on society ignorance.
As computers gradually attain global control, more and more private individuals become computer educated, rendering public security less and less, since education is the opposite of ignorance.
Its an iron clad formula.
Ignorance = don't know anything
Education = know all about it
Ole Man30th Dec 2009 -
SoYouSaid31st Dec 2009 -
Microsoft's "denial" doesn't constitute "debunking" anything.
It's just a self-serving assertion, blaming their customer, from a company famous its treatment of "truth" as disposable commodity.
Henry Miller1st Jan 2010 -
Microsoft has always blamed everybody else for everything
With their record of success, why should they change their modus operandi now?
http://blog.marcocantu.com/blog/microsoft_blames_vista_users.html
Microsoft Blames Users for Vista Problems
An article covering "Five Misunderstood Features in Windows Vista" claims that all Vista problems are only perceived by users and blames their judgment of the OS. You can get upset, or have a good laugh.
http://news.zdnet.co.uk/software/0,1000000121,39418108,00.htm
Microsoft blames users for Vista infections
http://www.builderau.com.au/news/soa/Microsoft-blames-users-for-OneCare-fiasco/0,339028227,339274293,00.htm
Microsoft blames users for OneCare fiasco
http://blogs.zdnet.com/Burnette/?p=65
Open source gets results, while Microsoft blames malware on 'stupid users'
Posted by Ed Burnette @ 2:21 pm
http://boycottnovell.com/2009/02/14/never-blame-microsoft-blame-users-and-exploits/
Never Blame Microsoft, Blame Users and Exploits
http://pcworld.about.com/od/windows/Microsoft-blames-human-error-f.htm
Microsoft blames human error for WGA glitch
Microsoft Corp. blamed human error for a problem that identified legitimate Windows users as pirates last week.Ole Man2nd Jan 2010 -
Lester Young4th Jan 2010 -
Microsoft in this case is right
Before you flame, take the time to read Redmond's findings: This is only a problem if you have configured your web server to allow anyone to upload and execute arbitrary scripts on your server.batpox2nd Jan 2010 -
Microsoft says "'tain't so!"
and that means "debunked?"
Wait another month or two and see what turns up on Patch Tuesday.
I'm betting MS will "discover" some "completely unrelated" security flaw and patch it.
Time will tell...
oldbaritone5th Jan 2010
Happy New Year Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
