A pervasive and potentially damaging new vulnerability in a component of Microsoft's Internet Information Services (IIS) Web server exposes systems to attack and could pave the way for a new worm. IIS users have had no window of time to patch their systems because the flaw has already been exploited, experts said.
The flaw, found in IIS 5.0 running on Windows 2000, is a buffer overflow in WebDAV (World Wide Web Distributed Authoring and Versioning). WebDAV is an IIS utility that allows for remote management and monitoring of Web content. It is installed by default, so some companies may have it running without knowing they do, said Ian Hameroff, security strategist for Islandia, N.Y.-based Computer Associates International Inc.
"It's time for administrators to do an inventory of their systems," Hameroff said.
If exploited, the vulnerability could allow attackers to run arbitrary code on the system. An attacker could exploit the flaw by sending a specially crafted request to an IIS 5.0 server with WebDAV running, CERT said in advisory.
Users of vulnerable systems have a couple of ways to protect themselves. Manually disabling WebDAV is one way, but this method can be tricky because it involves creating a specific registry key. The IIS Lockdown Tool from Microsoft may also be used, but system administrators should be cautious because the tool may or may not turn WebDAV off, depending on templates used, said Dan Ingevaldson, team lead for ISS' X-Force R&D. "It's a good practice to turn of all systems and services you aren't using anyway," he said.
The surest way to prevent problems with the flaw is by patching the system. The dangerous thing about the flaw is it was found after being exploited in the wild. Usually, researchers find flaws, then users of the flawed product have a window of time to patch their systems before attackers come up with ways to exploit them.
The WebDAV flaw was discovered when a Web site run by the U.S. Army went down. The system administrator rebuilt the system and put it back online. It was promptly attacked again, said Russ Cooper, surgeon general for Herndon, Va.-based TruSecure Corp. Cooper worked with the Army to notify Microsoft of the flaw. "Microsoft didn't know what I was talking about," he said, noting they "were all over it in a few hours."
Luckily, it's actually quite rare for a vulnerability to be found while being exploited in the wild, Cooper said. Also, the exploit code for the flaw isn't believed to be generally available.
Cooper fears that a worm could be released in the next week or two that takes advantage of the flaw. The attack on the Army's Web server was so brazen, especially given the political situation. "They had no way of know what that server was doing," he said.
"[The attacker] was obviously a pretty daring soul," he said.
FOR MORE INFORMATION:
- FEEDBACK: Has your company reached its limit with IIS' security problems?
Send your thoughts to News Writer Edward Hurley.