Microsoft widens IIS vulnerability warning

By Stephen Withers
Monday, 07 September 2009 04:25

Security

Microsoft has widened the scope of a security advisory concerning vulnerabilities in the FTP service in Internet Information Services (IIS). The versions shipping with Vista and Server 2008 are now known to be affected as well as those in older versions of Windows.

Last week, Microsoft disclosed the existence of a flaw in the FTP component of IIS that could allow remote code execution or denial of service attacks.

At the time, IIS versions 5 and 6 were said to be affected.

Microsoft now warns that IIS 7.0 is also vulnerable if it is running FTP Service 6.0, but not if it has been updated with FTP Service 7.5 (as shipped with Windows 7 and Server 2008 R2).

According to Microsoft's advisory, remote code execution is possible on IIS 5.0, but exploits are limited to denial of service attacks on IIS IIS 5.1 and later.

IIS 5.0 is part of Windows 2000.

The remote code execution attack on IIS 5.0 works by creating a long and maliciously crafted directory name, and could therefore be avoided by denying the right to create directories to untrusted users.

However, a publicly available denial of service attack on the FTP service only requires an untrusted user to have read access.

Microsoft suggests disabling the FTP service in order to "completely block the known attack vector or any variations thereof."

A patch for the issue is under development. Microsoft officials have indicated that it may be released as an out-of-cycle update as opposed to waiting for October's Patch Tuesday.