Microsoft warns of IIS zero-day vulnerability

By Robert Westervelt, News Editor 19 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft is warning of an IIS zero-day vulnerability in Microsoft Internet Information Services (IIS) Web server, which if successfully exploited, could give an attacker elevated privileges to gain access to sensitive data.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Microsoft said a remote authentication bypass vulnerability exists in the WebDAV extension, a collection of tools used to publish content to IIS Web servers. The Web server does not properly decode a requested URL. An attacker can exploit the flaw by creating a specially crafted anonymous HTTP request to gain access to a location. Microsoft said the hack typically requires authentication.

Microsoft IIS versions 5.0-6.0 are affected. The software giant said it is unaware of any known attacks against the flaw in the wild. But the U.S. Computer Emergency Response Team issued an advisory warning on Monday that it is aware of publicly available exploit code and active exploitation of the vulnerability.

IIS security information: Windows IIS server hardening checklist: Use this checklist on the job to secure your IIS server.   IIS security: Configure Web server permissions for better access control: Updating user access controls as business portfolios expand can help protect confidential data. How to implement IIS authentication settings: In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin reviews how to set IIS authentication permissions and allow open access to Web sites hosted on IIS Web servers.

As a workaround, users can disable WebDAV functionality, Microsoft said. Users can also deny file system access control lists for anonymous user accounts or use NTFS access control lists to control access to resources on the server.

"Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Christopher Budd, the security response communications lead for Microsoft said in a statement.

The flaw was discovered by security researcher Nikolaos Rangos, who posted details to the Full Disclosure security mailing list. In his IIS advisory, Rangos said the flaw enables attackers to bypass password protected folders and upload or download files into a password protected WebDAV folder.

In its 971492 security advisory, Microsoft downplayed the severity of the flaw explaining several security features that must be bypassed to successfully exploit the flaw.

SearchSecurity radio:

Microsoft said an attacker cannot exceed the level of access granted to the anonymous user account since the IIS file system verifies whether a file is accessible by a given user. Also, the anonymous user account only has read access. Microsoft said the WebDAV extension is not enabled in the default configuration, meaning that many organizations may not be using it.

Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating.

Tags: Web Server Threats and Countermeasures,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server Threats and Countermeasures Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability How do passwordless SSH keys represent an enterprise attack vector? Information security book excerpts and reviews Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Windows Security: Alerts, Updates and Best Practices Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary