No. 1 Story
ACCC clears Optus to scrap HFC network and use NBN instead
The ACCC has cleared, provisionally, the proposed deal between Optus and NBN Co under which Optus is to be paid around $800m to shut down its HFC network and transfer customers onto the NBN. read moreRelated Articles
Microsoft, warns, IIS, FTP, vulnerabilityThe internal security agency MI5 has warned UK businesspeople that agents of the Chinese...
In what is one of the most potentially serious zero-day Microsoft Windows bugs this...
The Month of Apple Bugs may be over, but Kevin Finisterre hasn't given up...
Microsoft has joined forces with Celestix Networks and Network Engines to deliver appliances running...
Early WiMAX networks will have a number of security vulnerabilities, according to ABI Research,...
More From
Microsoft warns of IIS FTP vulnerability
Stephen Withers
Thursday, 03 September 2009 03:28
The vulnerability affects IIS 5 and 6, though according to Symantec's security response team, "we successfully executed arbitrary code remotely on IIS 5.0. Yet, our results with IIS 6.0 were less than conclusive."
That observation is consistent with Microsoft's advice that "IIS 6.0 is at reduced risk because it was compiled using the /GS compiler option. This does not remove the vulnerability but does make exploitation of the vulnerability more difficult."
The vulnerability can be exploited by creating a directory with a maliciously crafted name using any account with write access. When that directory is listed using the FTP NLST command, the shell code embedded in the directory name is executed.
The workarounds suggested by Microsoft are to disable the FTP service if it is not required, modify NTFS file system permissions to prevent FTP users creating directories, and disallow FTP write access by anonymous users.
Symantec recommends the latter action should be taken immediately "because this is the most dangerous scenario."
The affected software is installed by default in Windows 2000 and Small Business Server 2003. It is an optional installation on XP and Server 2003.
An update to address the vulnerability is being developed, and "be released once it reaches an appropriate level of quality for broad distribution", Microsoft officials stated.
IIS 7.0, found in Vista and Server 2008, is not vulnerable, according to the Microsoft Security Response Center.
You think you have a disaster recovery plan?
Think again. Most businesses only have PART of a DR plan - and this spells business disaster in the event of an IT disaster.
Download The Seven Sins of Disaster Recovery White Paper now and find out how you can prevent this happening to you.
