Users of Microsoft's Internet Information Server (IIS) Web server should install the latest security patch as soon as possible to prevent damaging problems, security experts advise.
Earlier this month, Microsoft released a whopping security patch to correct 10 vulnerabilities in IIS versions 4, 5 and 5.1. A few of the vulnerabilities involve buffer overflows that could allow someone to execute code on unprotected systems.
One of most insidious buffer overflow flaws impacts how the server generates active server pages (ASP). Other vulnerabilities could leave the system open to denial-of-service attacks.
It is unusual for Microsoft to wrap up so many fixes for so many vulnerabilities into one patch, said Gerhard Eschelbeck, vice president of engineering at Qualys. However, he has seen an increase in vulnerabilities found in general over the last three months.
One of the problems with IIS comes is that it comes with so many "bells and whistles" set as default, Eschelbeck said. Users need to make sure their machines are configured to do exactly what they need, and no more. As many as 80% of the vulnerabilities wouldn't affect a user with well-configured systems, he said.
However, the sheer popularity of the ASP functionality makes that vulnerability particularly dangerous. "Turning this off is not an option for most places as it's critical," Eschelbeck said.
Potential attackers are already looking for that particular vulnerability, said Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure, enterprise-based accounting software. "I saw it in my own logs," he said.
Some users may be a little apprehensive about installing such a large patch, and in large part, question what the different patches will do to their systems, what will happen if the patches damage their system and whether they have time to install such a cumulative patch?
Both Mullen and Eschelback recommend installing the patch as soon as possible. The risk associated with leaving the vulnerabilities open is much greater than potential system problems.
"It's like saying you won't drive into work because you might get into a wreck," Mullen said.
Granted, these are "hot fixes" so they didn't receive the testing and review that a Service Pack release would, said Mullen, who personally had no problems installing them. Only users with more non-conventional configurations may experience any problems.
Mullen gives Microsoft some credit for releasing all the repairs in one patch. It's much easier installing the one patch. It would have been confusing if users had to decide which of the 10 affected them. Then there is the question of which to install first. "The single patch is a good thing in this case," he said.