Microsoft urges immediate fix of critical IIS flaw

By Edward Hurley, News Writer 21 Nov 2002 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A critical buffer overflow vulnerability affecting Microsoft's Internet Information Services (IIS) Web server and Internet Explorer could leave companies open to Nimda-style attackers.

FOR MORE INFORMATION: SearchSecurity.com news exclusive: "Buffer overflows likely to be around for another decade" SearchSecurity.com technical tip: "Defining and preventing buffer overflows" SearchSecurity.com news exclusive: "One year later, Nimda is still a threat" SearchSecurity.com news exclusive: "SANS, FBI identify top 20 Windows, Unix vulnerabilities" Feedback on this story? Send your comments to News Writer Edward Hurley

The flaw is in Microsoft Data Access Components, a collection of components that make it easy for programs to access databases and manipulate the data within them. It's used by IIS and Internet Explorer.

Microsoft and security experts are urging affected users to patch their systems as soon as possible. Web servers running Microsoft Data Access Components 2.1, Microsoft Data Access Components 2.5 and Microsoft Data Access Components 2.6 are affected. Several versions of the Windows operating system are also affected. Attackers exploiting the flaw could run code on a vulnerable machine. No exploits are known to exist, experts said.

"Clearly, this vulnerability is very serious, and Microsoft recommends that all customers whose systems could be affected by them take appropriate action immediately," the company said in an advisory released Wednesday.

Exploiting the flaw on the client side is more difficult than on the server side. Web surfers using Internet Explorer 5.01, 5.5 and 6, which use the data access component, could be affected if they visit a Web site set up to exploit the flaw. The issue doesn't affect Windows XP users. Systems using Outlook Express 6 and Outlook 2000 are safe if they are running default settings. People using other versions of the mail client may also be safe if they have run Outlook E-mail Security Update.

The vulnerability is the result of an unchecked buffer. An attacker can send a malformed HTTP request, which could allow the attacker's data to overrun onto the heap. The buffer overflow is a heap variety, which is harder to exploit than the more common stack kind.

Creating code to exploit the flaw, however, would take as much savvy as the authors of Code Red and Nimda displayed, said George Kurtz, CEO of Foundstone Inc., which alerted Microsoft to the flaw.

"This is very, very serious," Kurtz said, noting that companies should patch their systems as soon as possible. "We don't want this to become the next security tsunami."

So far, there isn't any known code taking advantage of the flaw, but this shouldn't make affected users complacent. The risks posed by the flaw can't be ignored, Kurtz said. Exploiting it both on the server and client side would allow attackers to gain control of affected systems.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary