Microsoft warns of IIS zero-day vulnerability

By Robert Westervelt, News Editor 19 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft is warning of an IIS zero-day vulnerability in Microsoft Internet Information Services (IIS) Web server, which if successfully exploited, could give an attacker elevated privileges to gain access to sensitive data.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Microsoft said a remote authentication bypass vulnerability exists in the WebDAV extension, a collection of tools used to publish content to IIS Web servers. The Web server does not properly decode a requested URL. An attacker can exploit the flaw by creating a specially crafted anonymous HTTP request to gain access to a location. Microsoft said the hack typically requires authentication.

Microsoft IIS versions 5.0-6.0 are affected. The software giant said it is unaware of any known attacks against the flaw in the wild. But the U.S. Computer Emergency Response Team issued an advisory warning on Monday that it is aware of publicly available exploit code and active exploitation of the vulnerability.

IIS security information: Windows IIS server hardening checklist: Use this checklist on the job to secure your IIS server.   IIS security: Configure Web server permissions for better access control: Updating user access controls as business portfolios expand can help protect confidential data. How to implement IIS authentication settings: In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin reviews how to set IIS authentication permissions and allow open access to Web sites hosted on IIS Web servers.

As a workaround, users can disable WebDAV functionality, Microsoft said. Users can also deny file system access control lists for anonymous user accounts or use NTFS access control lists to control access to resources on the server.

"Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Christopher Budd, the security response communications lead for Microsoft said in a statement.

The flaw was discovered by security researcher Nikolaos Rangos, who posted details to the Full Disclosure security mailing list. In his IIS advisory, Rangos said the flaw enables attackers to bypass password protected folders and upload or download files into a password protected WebDAV folder.

In its 971492 security advisory, Microsoft downplayed the severity of the flaw explaining several security features that must be bypassed to successfully exploit the flaw.

SearchSecurity radio:

Microsoft said an attacker cannot exceed the level of access granted to the anonymous user account since the IIS file system verifies whether a file is accessible by a given user. Also, the anonymous user account only has read access. Microsoft said the WebDAV extension is not enabled in the default configuration, meaning that many organizations may not be using it.

Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating.

Tags: Web Server Threats and Countermeasures,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server Threats and Countermeasures Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security Windows Security: Alerts, Updates and Best Practices Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary