Web at risk from new MS flaw

Microsoft warns of a 'serious vulnerability' in its IIS software, installed on Web servers by default and used to run up to 6 million sites. Administrators are urged to patch the flaw - before it opens the door to a massive attack by hackers
Written by ZDNet Staff, Contributor

Microsoft said Monday that a "serious vulnerability" in its flagship Web server software used by computers running more than 6 million sites could allow hackers and online vandals to take control of the computers.

As first reported by CNET News.com, the flaw occurs in a component of Microsoft's Internet Information Service (IIS) software that is installed on Web servers by default, said Marc Maiffret, chief hacking officer with eEye Digital Security, the company that found the flaw.

"Pretty much any Web server (using Microsoft software) is basically left vulnerable to attack," he said. "Any hacker can basically get system-level access, which is the highest level of access on the computer," by using a program that exploits the problem.

In a strongly worded advisory released on its Web site Monday afternoon, Microsoft told its customers to download a newly released fix and to secure their sites before the Internet underground publishes tools to take advantage of the flaw.

"Clearly, this is a serious vulnerability, and Microsoft urges all customers to take action immediately," according to the company's advisory. "Microsoft strongly urges all Web server administrators to apply the patch immediately."

The flaw affects all versions of IIS running under Windows NT, Windows 2000 and a limited-release beta version of Windows XP. That means the flaw could affect nearly 6 million sites, or 21 percent of the Web, according to a May survey by Internet researcher Netcraft.

The vulnerability lies within the code that Microsoft's IIS server uses to support indexing, a feature that speeds searching on Web servers. The module, known as the Indexing Service ISAPI Filter, does not properly check for buffer overruns, a common problem in software. Maiffret estimated that at least 50 percent of all IIS servers -- about 3 million -- still have the default component installed and are thus vulnerable.

Chris Rouland, director of the X-force research team at software and consulting company International Security Systems, agreed that systems administrators need to act quickly. "Until the attacks become real, it's just a vulnerability," he said Monday. "But I'm sure hackers are writing exploits for this right now. I'd expect we'd see them in the next 48 hours.

"Systems administrators need to look at applying patches tonight or at the most over the next day or two."

Discovery of the server hole follows a rash of recent security incidents for Microsoft.

The company had to offer several different patches for a hole in its Exchange e-mail server after initial repairs crippled the servers they were applied to. An earlier hole in IIS was quickly exploited by online vandals. And an insurance firm that protects companies against hacker damage recently decided to boost premiums for customers who use Microsoft's Windows NT software.

Maiffret said eEye found the flaw while testing a planned upgrade for one of its products, a vulnerability scanner designed to find such problems.

Using the flaw, a network attacker could gain total control of the computer on which the Web server runs. "An attacker who successfully exploited this vulnerability could gain complete control over an affected Web server," according to Microsoft's statement. "This would give the attacker the ability to take any desired action on the server, including changing Web pages, reformatting the hard drive or adding new users to the local administrators group."

For example, an attacker who exploits the security hole could install and run programs, steal Web-based databases, modify Web sites and, in some cases, have a platform from which to attack the rest of the victim's network.

"The danger to the network really depends on how the network is set up," Maiffret said. "The Web server should be cut off from your actual organisation." In cases where it's not, companies could find their entire network compromised.

A Microsoft representative said the hole does not pose a threat to server administrators who already follow strict security procedures, as outlined in Microsoft's "security checklist".

"People will not be harmed by this if they have previously followed the security checklist," said Scott Culp, security program manager for Microsoft's security response centre. "Web servers sit on the Internet and let untrusted users access them, so they are always the most vulnerable pieces of your network."

Anyone using IIS should still install the patch provided by Microsoft, Culp added, even if they have followed Microsoft's security's checklist.

A Microsoft representative said the company is working to fix the flaw in the Windows XP version of the software before it is released.

Analysts said the flaw is unlikely to seriously harm Microsoft, even as it tries to push its software into more security-focused industries such as finance.

"Customer confidence is eroded when things like this come out," said Gartner analyst Victor Wheatman. "But people are tending to gravitate to Microsoft for all kinds of applications, and that will continue. This just shows they should do so with their eyes open."

Given the complexity of server software and the like, however, it's unrealistic to expect bulletproof software.

"It's just far too complicated -- one new capability, one new feature can open holes in an operating system that was thought to be air-tight," Wheatman said. "Security is never done. It's part of the development process."

On that basis, Microsoft scores highly for its response, said International Security Systems' Rouland.

"If you compare the speed at which Microsoft responds to these vulnerabilities, it's incredible," he said. "They get through with the information and the fix much quicker than you'd see with open-source software."

News.com's David Becker contributed to this report.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards