Microsoft Corp. scrambled last week to alert customers to a serious flaw in its Internet Information Server (IIS) software that had been discussed online for at least a week by potential attackers.
Discussions of undisclosed security holes aren't uncommon on Internet bulletin boards and Internet Relay Chat channels. But this vulnerability prompted an intense 20-hour campaign by Microsoft to identify an existing patch and to contact information technology managers, who had largely failed to install the patch the first time for a different problem.
"If you haven't already applied the patch, stop what you are doing right now and install it," said Microsoft security manager Scott Culp.
The flaw affects IIS versions 4.0 and 5.0. It lets intruders read and execute files on affected Web servers by adding a specific string to the end of a Web address. "It doesn't make them administrators, but it makes them local users who could add, change or delete files, run executables or load additional software on the machine and run it," said Culp.
Continuing Vulnerability
Culp said the patch for the bug was distributed in August with Microsoft Security Bulletin No. 57 but was developed to fix another bug. Culp said many administrators simply didn't apply it. "It is possible that people haven't installed the patch yet because the [original] vulnerability was much less serious," he said.
Security analyst Elias Levy, who runs the BugTraq mailing list, which announced the bug last week, noted that the flaw could have been used to attack Web sites for some time. He said the incident underscored the need to make security problems public as soon as they are discovered. Culp said the company hasn't yet had any reports of attackers exploiting the flaw.
Mention of it first appeared on the Packetstorm bulletin board during the week of Oct. 9, when an anonymous poster revealed the IIS hole. A security researcher, who goes by the handle Rain Forest Puppy, made the exploit work and contacted Microsoft to report the bug on Oct. 13.