IIS zero-day vulnerability (is there a rushed patch coming?)

David Heath
Wednesday, 30 December 2009 16:22

Business IT - Security

First reported by IPSS on December 24th, the vulnerability can allow attackers to upload malicious executables on un-protected IIS servers.

The attack can occur, according to the SANS report "where the server in incorrectly handling files with multiple extensions separated by the ";" character such as 'malicious.asp;.jpg' as an ASP file. This could allow attackers to upload malicious executables on a vulnerable web server, bypassing file extension protections and restrictions. This vulnerability does not work with ASP.Net."

On December 27th, SANS reported increasing pressure for Microsoft to issue an out-of-cycle patch to fix what seems to be an easily exploitable vulnerability.

As an example of how Microsoft just doesn't 'get it,' try this comment from MSDN blogger David Wang in response to the self-proposed question "why can I upload a file without IIS write permission?":  "The short answer to this question is that everything the user observed is correct and by-design. The user just failed to configure what he thinks he configured, and IIS can do nothing to save you from your own misunderstanding."

Early today, Microsoft has responded that "there is no problem with IIS 6, but rather this is a configuration issue which should not be present in an out of the box IIS 6 server or any server properly configured to Microsoft standards."

Microsoft says, "We've completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.

"What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It's this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

"The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both "write" and "execute" privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."

The very obvious problem here is that those defending the Microsoft position are speaking from the position of expertise; those attacking IIS are aware that not all administrators are even remotely expert.

So, it seems that the answer to the title question is 'no' there is to be no rushed patch.  Furthermore, if Microsoft has its way, there will be no patch at all; according to the company, IIS is operating exactly as designed.