Technology news and Jobs 
VIRTUALISATION Microsoft warns of IIS FTP vulnerability
VIRTUALISATION Microsoft warns of IIS FTP vulnerability | Microsoft warns of IIS FTP vulnerability |
|
| by Stephen Withers | |
| Thursday, 03 September 2009 | |
  
Featured Whitepaper
5 Best Practices for Smartphone Support
The vulnerability affects IIS 5 and 6, though according to Symantec's security response team, "we successfully executed arbitrary code remotely on IIS 5.0. Yet, our results with IIS 6.0 were less than conclusive." That observation is consistent with Microsoft's advice that "IIS 6.0 is at reduced risk because it was compiled using the /GS compiler option. This does not remove the vulnerability but does make exploitation of the vulnerability more difficult." The vulnerability can be exploited by creating a directory with a maliciously crafted name using any account with write access. When that directory is listed using the FTP NLST command, the shell code embedded in the directory name is executed. The workarounds suggested by Microsoft are to disable the FTP service if it is not required, modify NTFS file system permissions to prevent FTP users creating directories, and disallow FTP write access by anonymous users. Symantec recommends the latter action should be taken immediately "because this is the most dangerous scenario." The affected software is installed by default in Windows 2000 and Small Business Server 2003. It is an optional installation on XP and Server 2003. An update to address the vulnerability is being developed, and "be released once it reaches an appropriate level of quality for broad distribution", Microsoft officials stated. IIS 7.0, found in Vista and Server 2008, is not vulnerable, according to the Microsoft Security Response Center. |
Tags
| < Next story in category | Previous story in the category > |
|---|
