Exclusive: Major security flaw hits Microsoft

More embarrassment for Microsoft security as yet another flaw is discovered. Will Knight brings you this exclusive report

A British security expert claims to have uncovered a major security flaw in Microsoft's Web server software, Internet Information Server 4 (IIS).

David Litchfield a Windows NT specialist with British firm Cerberus Information Security, says the latest exploit against a Microsoft product allows a malicious hacker to gain unauthorised access to sensitive files, including cached or stored credit card details, address information, user IDs and passwords. Of most concern is the way these details can be seized: typing a simple URL into any browser makes it possible to gain access to files on Web servers running IIS, that have not been specifically configured to disable the exploit.

According to Litchfield, the situation is serious. "It takes no expertise [to use this technique] at all. It's so easy to exploit, I dare not give out a specific example. It would just fall into the hands of script kiddies [a copycat who uses someone else's techniques to hack a system]." ZDNet UK News has a copy of the exploit technique.

Thousands of e-commerce Web sites use IIS prompting Litchfield to warn a number of high profile UK e-commerce sites he believed were vulnerable.

Last year Microsoft suffered a major PR blow when its Hotmail service -- the world's leading Web based email service -- was left open to attack by a similarly simple hacking technique. But it is not just Microsoft's products that are vulnerable to attack: there have been several security breaches of high-profile e-commerce Web sites illustrating the precarious nature of the fledgling technology.

Visa, for example, recently confirmed receiving ransom demands from individuals claiming to be able to bring down their computer system. E-commerce Web site CDUniverse was also struck by a computer hacker who stole hundreds of credit card numbers and published them on the Internet.

Mark Tennant, Microsoft product manager for NT Server told ZDNet UK News, Thursday that although Microsoft products had made headlines recently for its security flaws, it was to be expected. "This product is a mainstream product with millions of users, obviously with that many users flaws are more likely to be picked up." Ostensibly that might be true, but to observers, those who see Microsoft products hacked time and again, isn't it a worrying pattern?

Tennant disagrees and drew comparisons with Linux "which doesn't have millions of users so you therefore don't hear of this type of issue". He added: "Microsoft is completely committed to security." Asked if that commitment could guarantee Windows 2000 -- NT's big brother due next month -- would not suffer the same sort of security flaws as its predecessor Tennant said: "I cannot predict what could happen a month down a line... but we are committed to security."

Litchfield suggests the pressure put on organisations to get online, by both government and software houses has led to companies leaving themselves wide open to computer criminals. "The World Wide Web is a hacker's paradise," he remarks. "The lure of e-commerce as an effective channel to further promote a business and fuel its success has led to too many companies getting 'connected' too quickly, sacrificing security for speed."

Security consultant Neil Barrett from another security firm, UK Information Risk Management, agrees: "The Holy Grail to any hacker is the remote access exploit. In the past problems with IIS have mainly been denial of service. If this exploit does what it says it does, it's down to how well credit card details are protected on a system which we know from experience is not very well at all." As a first defence Barrett advises either an intrusion detection system or encryption or ideally "both".

Full details of the exploit are available from the Cerberus Web site at this address:http://www.cerberus-infosec.co.uk/adviishtw.html and a patch for Internet Information Server 4 may be downloaded from the Microsoft security home page.

What do you think? Tell the Mailroom. And read what others have said.

Take me to the e-commerce special.