No. 1 Story

Construction needs cloud flexibility

Australia’s embattled construction sector could benefit from cloud based information systems that can be switched on and off in lockstep with individual projects – with the exception of those organisations based in remote areas like the Kimberleys.

read more

Related Articles

IIS, zeroday, vulnerability, there, rushed, patch, coming
Patches for 26 Windows, Office vulnerabilities coming next Tuesday
Microsoft is planning to dish up heapin' helpin' of security bulletins next week. So...
Read More
Finisterre finds Mac Virex vulnerability
The Month of Apple Bugs may be over, but Kevin Finisterre hasn't given up...
Read More
Microsoft to hit users with 11 fixes on Patch Tuesday
Microsoft Windows and Office have once again been exposed for the leaky vessels they...
Read More
Third party fixes not a patch on Microsoft
The debate has flared up once again about whether users should wait for an...
Read More
Microsoft stung into action releases browser patch
With the news that thousands of web sites are already exploiting an Internet Explorer...
Read More

More From

Popular Threads

IIS zero-day vulnerability (is there a rushed patch coming?)

David Heath
Wednesday, 30 December 2009 15:22

Business IT - Security

View Comments
First reported by IPSS on December 24th, the vulnerability can allow attackers to upload malicious executables on un-protected IIS servers.

The attack can occur, according to the SANS report "where the server in incorrectly handling files with multiple extensions separated by the ";" character such as 'malicious.asp;.jpg' as an ASP file. This could allow attackers to upload malicious executables on a vulnerable web server, bypassing file extension protections and restrictions. This vulnerability does not work with ASP.Net."

On December 27th, SANS reported increasing pressure for Microsoft to issue an out-of-cycle patch to fix what seems to be an easily exploitable vulnerability.

As an example of how Microsoft just doesn't 'get it,' try this comment from MSDN blogger David Wang in response to the self-proposed question "why can I upload a file without IIS write permission?":  "The short answer to this question is that everything the user observed is correct and by-design. The user just failed to configure what he thinks he configured, and IIS can do nothing to save you from your own misunderstanding."

Early today, Microsoft has responded that "there is no problem with IIS 6, but rather this is a configuration issue which should not be present in an out of the box IIS 6 server or any server properly configured to Microsoft standards."

Microsoft says, "We've completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.

"What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It's this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

"The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both "write" and "execute" privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."

The very obvious problem here is that those defending the Microsoft position are speaking from the position of expertise; those attacking IIS are aware that not all administrators are even remotely expert.

So, it seems that the answer to the title question is 'no' there is to be no rushed patch.  Furthermore, if Microsoft has its way, there will be no patch at all; according to the company, IIS is operating exactly as designed.

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases