Microsoft probes critical IIS Web server bug

Computerworld - Microsoft on Tuesday confirmed that it is examining a critical vulnerability in older editions of Internet Information Services (IIS) server, a day after a hacker posted exploit code to the milw0rm.com site.

"Microsoft is investigating new public claims of a possible vulnerability in IIS 5.o and IIS 6.0 File Transfer Protocol (FTP)," a company spokesman said today. "We will take steps to determine how customers can protect themselves should we confirm the vulnerability." Microsoft added that it had not yet seen any evidence of actual in-the-wild attacks, but as is its usual practice, hinted that it might create a patch for the problem.

It offered no defensive measures Web server administrators could take in lieu of a fix, a departure from past investigations, when Microsoft has offered not only instructions to customers, but also delivered tools that helped users automate the workaround.

The disclosure of exploit code triggered warnings from a few security firms, as well as from the U.S. Computer Emergency Response Team (US-CERT), which urged administrators to disable FTP (file transfer protocol) write access in IIS.

According to a US-CERT advisory, the FTP server included in IIS fails to properly parse specially-crafted directory names. Hackers can issue a NLST command (NAME LIST) on a specially-named directory to force a stack buffer overflow. "[This] may allow a remote attacker to execute arbitrary code on a vulnerable system," said US-CERT.

Danish bug tracking vendor Secunia ranked the vulnerability "moderately critical," the third-highest threat level in its five-step scoring system.

It's unclear how many versions of IIS contain the vulnerability. Secunia said the bug can cause IIS 5.1 on Windows XP and IIS 6.0 on Windows Server 2003 to crash, but allows hackers to insert their own malicious code on IIS 5.0 systems running under Windows 2000.

The hacker who posted the exploit code on milw0rm yesterday agreed with Secunia. "IIS 6.0 FTP server IS affected by the buffer overflow, but is properly protected by stack canaries," said the hacker, identified as "Nikolaos" and by the "Kingcope" moniker, in a message to the Full Disclosure security mailing list. "As far as I know, it looks like a DoS on Windows Server 2003."

IIS 7.0 debuted with Windows Vista and Windows Server 2008 in late 2007, while the even newer IIS 7.5 will be included with Windows 7 and Windows Server 2008 R2, both expected to officially launch later this year.

Microsoft's IIS server, currently the world's second-most popular Web server, accounts for about 22% of all Web servers, according to U.K.-based Netcraft. The open-source Apache server software, with a 46% share, remains the top choice.

IIS bugs are rare, but not unknown. Last May, Microsoft admitted that IIS 6.0 contained a flaw that could let attackers steal data, but downplayed the threat. Several weeks later, it issued a bug fix as part of its June monthly security updates.

Microsoft's next scheduled patch day is Tuesday, Sept. 8.

Read more about security in Computerworld's Security Knowledge Center.