The flaw allows malicious users to read and execute files on Web sites simply by requesting a specific Web address. Microsoft released a bulletin about the problem Tuesday, urging customers to patch its systems and warning, "It is important not to underestimate the damage that a malicious user could cause."
There are no reports yet of the exploit being used, but since the underground learned of the flaw before Microsoft, it's possible Web sites have been attacked using it for some time.
Dozens of security vulnerabilities are discovered every day, most by zealous researchers or hobbyists who immediately report the problems to software companies. But some flaws are found by the computer underground and are kept secret for days, weeks, even months. Computer hackers call them "zero-day" exploits. So long as they remain "zero-day," computer intruders can have a field day with them, sure that there is no known patch for the problem.
It's not known how long this new Web server flaw has been known in the underground, but the problem was being discussed openly on a hacker bulletin board for at least a week.
But posters to that board offered an imperfect explanation of the flaw, and it appears they didn't quite grasp the extent of the problem.
Microsoft did. It had its network of customers service representatives visit thousands of customers around the world Saturday, Sunday, and Monday, insisting that they install the patch immediately.
"We told them, 'Call your customers, wake them up, get their systems patched," said Scott Culp, who runs Microsoft's emergency response team. (MSNBC is a Microsoft-NBC joint venture.)
A severe problem
The flaw allows a malicious computer user armed with a single, specially formed URL to access any files on a Web server. The intruder can also run programs on the server, but wouldn't be able to view administrative passwords. Still, the problem is severe, Culp said.
"For our customers who haven't installed the patch yet, whatever they're doing, they need to stop and go get the patch right now," he said.
Coincidentally, a patch Microsoft developed in August already fixes the problem. But Culp said many Microsoft customers hadn't applied that patch yet.
The first mention of a problem came Oct. 10, when an anonymous poster bragged on a computer hacker bulletin board that he or she could execute commands on Microsoft-powered Web servers simply by appending a specific string to the end of a Web address.
That post eventually caught the attention of a researcher who goes by the psuedonym Rain Forest Puppy, who brought the problem to Microsoft's attention on Friday.
Special characters beat the system
Microsoft's Web server software, called IIS, is supposed to prevent requests for any file that's not meant to be displayed on a Web page. But by including special characters in the URL, an attacker is able to circumvent the filter meant to prevent such requests. Then the intruder can view any file that's sitting on the same hard drive that serves up Web pages.
The fact that problem was discussed in so open a forum suggested that it may have been used for some time to attack Web sites, according to Elias Levy, who administers the BugTraq mailing list where the flaw was released publicly Tuesday.
"None of the people that responded to the original message were able to reproduce the problem. But who knows about the ones that did not respond?" Levy said.
"This goes to show that even today many vulnerabilities are discovered in the underground before they show up in public, which is why giving information to the public as soon as possible should be a high priority to anyone disclosing vulnerabilities."
Culp said Microsoft monitored hacker discussion groups throughout the weekend, and while it was clear some notion of the flaw had been discussed, it didn't appear anyone outside Microsoft and Rain Forest Puppy knew exactly how it worked.
"We didn't see anything that suggested it had gotten out," Culp said, but added, "It's imposible to say how widespread knowledge is in underground."