Hacker exploits Microsoft bug online

Virus experts shift the blame from the hackers to the companies who are lax about installing patches
Written by Wendy McAuliffe, Contributor

A Japanese hacker has surreptitiously posted a programme on the Net which gives remote attackers complete control of vulnerable servers running Microsoft's popular Web server software. The source code is thought to have gone unnoticed for two weeks.

The hacking script was posted last week on the Geocities home page of a Japanese hacker who uses the nickname "HighSpeed Junkie". The code that was programmed on 21 June exploits a recently discovered bug in Microsoft's Internet Information Server (IIS), which contains a buffer overflow flaw that could enable a hacker to gain full, system-level control of a server.

"It is a very serious vulnerability -- it's important to install the relevant patches as there are scumbags out there who will write programmes to exploit these vulnerabilities," said Graham Cluley, senior technical consultant at antivirus firm Sophos.

An anonymous third party also posted a link to the exploit code on the Windows security mailing list Win2KSecAdvice last Wednesday. It claimed that the source programme is already listed in the file archives of at least one underground hacking site. The author insists that the existence of this code proves that efforts by vendors and governments to prevent the release of such programmes are futile. "All those opposed to full disclosure, be damned," he argues.

Microsoft alerted its six million customers to the problem on 18 June, and released a patch that protects IIS servers from attacks of the vulnerability. The report warned the vulnerability "would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group".

Cluley defends Microsoft's openness about the bug, despite admitting the frequent vulnerabilities found in IIS. He argues that companies only have themselves to blame for not installing patches as soon as they are released. "There is a lackadaisical attitude amongst companies towards patches -- it is easy to sign up to the alerts about them, so everyone should have applied the patches to this vulnerability by now."

Microsoft was unavailable for comment at the time of going to press.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards