Microsoft urges immediate fix of critical IIS flaw

Article

Microsoft urges immediate fix of critical IIS flaw

A critical buffer overflow vulnerability affecting Microsoft's Internet Information Services (IIS) Web server and Internet Explorer could leave companies open to Nimda-style attackers.

FOR MORE INFORMATION:

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchSecurity.com news exclusive: "Buffer overflows likely to be around for another decade"

SearchSecurity.com technical tip: "Defining and preventing buffer overflows"

SearchSecurity.com news exclusive: "One year later, Nimda is still a threat"

SearchSecurity.com news exclusive: "SANS, FBI identify top 20 Windows, Unix vulnerabilities"

Feedback on this story? Send your comments to News Writer Edward Hurley

The flaw is in Microsoft Data Access Components, a collection of components that make it easy for programs to access databases and manipulate the data within them. It's used by IIS and Internet Explorer.

Microsoft and security experts are urging affected users to patch their systems as soon as possible. Web servers running Microsoft Data Access Components 2.1, Microsoft Data Access Components 2.5 and Microsoft Data Access Components 2.6 are affected. Several versions of the Windows operating system are also affected. Attackers exploiting the flaw could run code on a vulnerable machine. No exploits are known to exist, experts said.

"Clearly, this vulnerability is very serious, and Microsoft recommends that all customers whose systems could be affected by them take appropriate action immediately," the company said in an advisory released Wednesday.

Exploiting the flaw on the client side is more difficult than on the server side. Web surfers using Internet Explorer 5.01, 5.5 and 6, which use the data access component, could be affected if they visit a Web site set up to exploit the flaw. The issue doesn't affect Windows XP users. Systems using Outlook Express 6 and Outlook 2000 are safe if they are running default settings. People using other versions of the mail client may also be safe if they have run Outlook E-mail Security Update.

The vulnerability is the result of an unchecked buffer. An attacker can send a malformed HTTP request, which could allow the attacker's data to overrun onto the heap. The buffer overflow is a heap variety, which is harder to exploit than the more common stack kind.

Creating code to exploit the flaw, however, would take as much savvy as the authors of Code Red and Nimda displayed, said George Kurtz, CEO of Foundstone Inc., which alerted Microsoft to the flaw.

"This is very, very serious," Kurtz said, noting that companies should patch their systems as soon as possible. "We don't want this to become the next security tsunami."

So far, there isn't any known code taking advantage of the flaw, but this shouldn't make affected users complacent. The risks posed by the flaw can't be ignored, Kurtz said. Exploiting it both on the server and client side would allow attackers to gain control of affected systems.