A Japanese hacker has surreptitiously posted a program on the Net which gives remote attackers complete control of vulnerable servers running Microsoft's popular Web server software.
The source code is thought to have gone unnoticed for two weeks.
The hacking script was posted last week on the Geocities home page of a Japanese hacker who uses the nickname "HighSpeed Junkie". The code that was programmed on 21 June exploits a recently discovered bug in Microsoft's Internet Information Server (IIS), which contains a buffer overflow flaw that could enable a hacker to gain full, system-level control of a server.
"It is a very serious vulnerability--it's important to install the relevant patches as there are scumbags out there who will write programs to exploit these vulnerabilities," said Graham Cluley, senior technical consultant at antivirus firm Sophos.
An anonymous third party also posted a link to the exploit code on the Windows security mailing list Win2KSecAdvice last Wednesday. It claimed that the source program is already listed in the file archives of at least one underground hacking site.
The author insists that the existence of this code proves that efforts by vendors and governments to prevent the release of such programs are futile. "All those opposed to full disclosure, be damned," he argues.
Microsoft alerted its six million customers to the problem on June 18, and released a patch that protects IIS servers from attacks of the vulnerability. The report warned the vulnerability "would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group".
Cluley defends Microsoft's openness about the bug, despite admitting the frequent vulnerabilities found in IIS. He argues that companies only have themselves to blame for not installing patches as soon as they are released. "There is a lackadaisical attitude amongst companies towards patches--it is easy to sign up to the alerts about them, so everyone should have applied the patches to this vulnerability by now."
Microsoft was unavailable for comment at the time of going to press.