Microsoft refutes IIS vulnerability claims

Software giant says investigation of possible vulnerability in its Internet Information Services, found Web servers that do not adhere to its best practices, to blame.
Written by Vivian Yeo, Contributor

Microsoft has denied claims of a new vulnerability in Internet Information Services (IIS) 6, putting the blame instead on poorly-configured Web servers.

In a blog post Tuesday, Redmond said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content filtering software to upload and execute code on an IIS server. The company found "no vulnerability" in IIS.

Security researcher Soroush Dalili highlighted the issue on Christmas Day in a paper released via his Web site, describing the impact as "highly critical for Web applications".

The problem, he explained, is that IIS runs any executable extensions when they are buried within a URL and separated by a semi-colon. On the other hand, common system protection involves checking only the last or extension portion of the file name. The file "malicious.asp;.jpg" for example, would be detected as a JPEG (Joint Photographic Experts Group) file and then executed as an ASP (Active Server Page) file on the server.

"In a measurement which was performed in summer 2008 on some of the famous Web applications, 70 percent of the secure file uploaders were bypassed using this vulnerability," Dalili wrote in the paper.

According to him, the problem affects IIS 6 and earlier versions, but has no effect on IIS 7.5. IIS 7 has not yet been tested.

Microsoft admitted in its blog that there was an inconsistency in the handling of semi-colons by the IIS, but pointed out that only Web servers that are deployed insecurely are at risk of the problem.

"For the scenario to work, the IIS server must already be configured to allow both 'write' and 'execute' privileges on the same directory," Microsoft said in the blog post. "This is not the default configuration for IIS and is contrary to all of our published best practices."

It added that customers who use IIS 6 in its default mode or follow Microsoft's recommended best practices "don't need to worry" about the issue. The software giant advised users who do not fall in the other categories to review its best practices "and make changes to better secure your system from the threats that configuration can enable".

Security vendor Secunia has labeled the situation "less critical", issuing a rating of two out of a possible five.

However, Symantec's Patrick Fitzgerald reported in a blog post Tuesday, that open source penetration testing community, Metasploit, has added support for exploitation of the issue on its framework.

With this support, "badly-configured servers" can be more easily compromised, the blog stated. "This development could see a rise in exploitation of this issue," warned Fitzgerald.

Dalili, in a comment on his blog, reiterated the severity of the problem. "In some cases although you can gain access to the admin panel of the Web site, you can only upload some images.

"Now, perhaps you can bypass it and upload a Web shell to read all the source codes, download some important data, and so on," he said.

Editorial standards