Feeds

Confusing MS security bulletin aided IIS worm

No wonder so many machines got hit

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Exclusive: The sadmind/IIS worm, which has been defacing Microsoft IIS machines so prolifically during the past ten days, might be getting a little help from a poorly-worded MS security bulletin.

The worm infects Solaris boxes up to version 7 by exploiting the sadmind vulnerability, then scans for IIS machines susceptible to the folder traversal vulnerability which was patched last October, and then defaces the default Web page.

We were mightily impressed by the large number of IIS machines attacked by the worm, since a fix has been available for seven months. We originally chalked that up to widespread sysadmin indifference, which is often a safe bet.

But following a tip from a Reg reader who fell victim to the worm after patching his system, we had to look into other possibilities.

And sure enough, it appears to us now that if the patch and several Windows service packs (how many times have we warned you not to play with these things?) are not installed in the correct order, the patch might be useless.

According to MS's security bulletin, "the IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a. The IIS 5.0 patch can be installed on systems running either Windows 2000 Gold or Service Pack 1.0."

The wording here is quite specific, and may well have been overlooked by a number of sysadmins. It implies that it's necessary to have installed either of the NT service packs, 5.0 or 6.0a, for the patch to be effective, which is true; but it doesn't address what might happen if a system were upgraded after the patch was installed.

Thus if you (re)installed IIS, or installed a more recent service pack on an NT machine after patching the IIS folder traversal vulnerability, you must re-install the hotfix.

Our tipster believes that a recent service pack (presumably NT 6.0a) may have accidentally over-written files associated with the IIS patch, but Microsoft tested this at our request with NT pack 6.0a, and found it to be impossible. It is also impossible to over-write the patch with Win 2K SP 1.0, the company told us.

The company suggests that our user may have an unusual network configuration, which certainly is possible. The remaining possibility is that the user needed to re-install the patch after either (re)installing IIS or upgrading his NT service pack -- which is why we recommend that the patch be re-installed by everyone with doubts about their past network configuration.

As for Win 2K, "the patch may be applied to Windows 2000 with or without SP1. Specific to Windows 2000, if you install the hotfix on Gold (no SP), and then install SP1, the patch is not overwritten by SP1," Microsoft's Security Response Center told us.

However, a user "must re-apply the Service Pack and any hotfixes after installing something from original media (like after installing IIS). The same is [true] when upgrading from one SP to another SP -- you must then re-apply all post-SP hotfixes applicable to the new SP," we were told.

So it's likely that our tipster either installed or reinstalled IIS after patching his system, or installed a more recent NT service pack, thereby rendering his folder traversal vulnerability patch ineffective.

MS ought really to have emphasized this in the security bulletin. To say that the patch "can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a....and on systems running either Windows 2000 Gold or Service Pack 1.0" really isn't strong enough if the patch has to be re-installed when upgrading a service pack or re-installing an application.

Indeed, the bulletin says only that "the NT4 patch cannot be installed on systems prior to SP5. (By 'cannot' [it is meant that] when you execute the patch file, it will give a popup error message and fail to install, stating that the patch won't install on that version of the installed SP)," the company explained to us.

And of course this is a separate issue from whether or not installing or re-installing an application, or upgrading a service pack, would require one to re-install the hotfix. Now we know it's necessary to do just that. It ought to have been emphasized, and we hope MS will edit their security bulletin accordingly.

Some admins may wish to re-install the IIS patch even if they're confident that they got it and everything else installed in the proper sequence. We don't believe this degree of vigilance is necessary; but patching is quite easy, and it certainly does no harm to err on the side of caution. ®

Related Links

Patch for IIS-4
Patch for IIS-5
Solaris patches
MS recommended installation sequences

Related Stories

Solaris/IIS worm hits 9000 boxes in 48 hours
Worm puts old IIS attack in full-auto mode

Remote control for virtualized desktops

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.