Microsoft issued an advisory this week warning customers of a serious vulnerability in Microsoft Internet Information Services (IIS) and the availability of exploit code circulating that could enable an attacker to exploit
The flaw affects Microsoft IIS version 5.0, 5.1 and 6.0, leaving the Web server vulnerable to an FTP attack. Bruce Dang and Jonathan Ness, of the Microsoft Security Response Center detailed the flaw in a blog entry, calling it a "stack overflow in the FTP service when listing a long, specially-crafted directory name."
"If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs," the researchers said of the IIS FTP flaw in the Security Research and Defense blog.
If the IIS is configured to enable anonymous users to have write access, the attacker would not have to be authenticated to pull off the attack, Microsoft said.
Microsoft is working on a patch and expects to release it once it "reaches an appropriate level of quality for broad distribution." In the meantime, companies can deploy a workaround by modifying NTFS file system permissions to bar FTP users from creating directories.
The U.S. Computer Emergency Response Team (US-CERT) issued an advisory Monday warning that there was no practical solution to the problem. Danish vulnerability clearinghouse, Secunia gave the flaw a moderately critical rating.
Microsoft said the flaw was not reported responsibly. It was discovered by a security researcher who goes by the name "Kingcope." The exploit code began circulating on the the Milw0rm site on Monday.