Microsoft has released a patch for ten new vulnerabilities in newer versions of its Internet Information Services (IIS) server software, some of which are serious enough to allow attackers to take over the server and execute any code of their choosing.
Some of the security bugs were discovered by Microsoft in the course of its own investigations, which are part of an stepped-up drive to make Microsoft products less vulnerable to Internet attacks. Microsoft has been criticised for leaving too many security holes in software like the Outlook email client, the Internet Explorer browser, IIS and Windows.
The patch, available on Microsoft's Web site, also includes fixes for already released patches. IIS versions 4, 5 and 5.1 are susceptible to the vulnerability, Microsoft said. Beta build versions 3605 or higher of .Net Server already contain the fix. IIS 6 is included with .Net Server.
The critical bugs covered by the patch are all buffer overrun flaws, which allow an attacker to trick the server into crashing or executing the attacker's code.
Microsoft deemed three of the fixes as critical for all three versions of IIS and one as critical for IIS 4 and 5. The other new vulnerabilities pose either a moderate or a low security threat.
Many of the new fixes have to do with so-called buffer overflow or denial-of-service attacks that could cripple Web sites. In a buffer overflow, an attacker floods a field, typically an address bar, with more characters than it can accommodate. The excess characters in some cases can be run as "executable" code, effectively giving the attacker control of the computer without being constrained by security measures.
Microsoft recommends that IIS operators either download the patch separately or, if running Windows XP, retrieve the fix using the automatic update feature. The IIS 4 patch requires that Service Pack 6a be applied to Windows NT Server. The IIS 5 patch can be applied to Windows 2000 running either Service Pack 1 or 2. Microsoft recommends that the IIS 5.1 patch be applied to systems running Windows XP Professional.
The IIS 5 patch will be included in Windows 2000 Service Pack 3, which is in beta testing. The fixes for IIS 5.1 will be included in Windows XP Service Pack 1, which is expected to begin beta testing next month.
In addition to applying the patches, Microsoft said, IIS operators should download and use IIS Lockdown Tool 2.1, which turns off unnecessary features that if left on could create vulnerabilities for hackers to exploit.