Feeds

Confusing MS security bulletin aided IIS worm

No wonder so many machines got hit

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Exclusive: The sadmind/IIS worm, which has been defacing Microsoft IIS machines so prolifically during the past ten days, might be getting a little help from a poorly-worded MS security bulletin.

The worm infects Solaris boxes up to version 7 by exploiting the sadmind vulnerability, then scans for IIS machines susceptible to the folder traversal vulnerability which was patched last October, and then defaces the default Web page.

We were mightily impressed by the large number of IIS machines attacked by the worm, since a fix has been available for seven months. We originally chalked that up to widespread sysadmin indifference, which is often a safe bet.

But following a tip from a Reg reader who fell victim to the worm after patching his system, we had to look into other possibilities.

And sure enough, it appears to us now that if the patch and several Windows service packs (how many times have we warned you not to play with these things?) are not installed in the correct order, the patch might be useless.

According to MS's security bulletin, "the IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a. The IIS 5.0 patch can be installed on systems running either Windows 2000 Gold or Service Pack 1.0."

The wording here is quite specific, and may well have been overlooked by a number of sysadmins. It implies that it's necessary to have installed either of the NT service packs, 5.0 or 6.0a, for the patch to be effective, which is true; but it doesn't address what might happen if a system were upgraded after the patch was installed.

Thus if you (re)installed IIS, or installed a more recent service pack on an NT machine after patching the IIS folder traversal vulnerability, you must re-install the hotfix.

Our tipster believes that a recent service pack (presumably NT 6.0a) may have accidentally over-written files associated with the IIS patch, but Microsoft tested this at our request with NT pack 6.0a, and found it to be impossible. It is also impossible to over-write the patch with Win 2K SP 1.0, the company told us.

The company suggests that our user may have an unusual network configuration, which certainly is possible. The remaining possibility is that the user needed to re-install the patch after either (re)installing IIS or upgrading his NT service pack -- which is why we recommend that the patch be re-installed by everyone with doubts about their past network configuration.

As for Win 2K, "the patch may be applied to Windows 2000 with or without SP1. Specific to Windows 2000, if you install the hotfix on Gold (no SP), and then install SP1, the patch is not overwritten by SP1," Microsoft's Security Response Center told us.

However, a user "must re-apply the Service Pack and any hotfixes after installing something from original media (like after installing IIS). The same is [true] when upgrading from one SP to another SP -- you must then re-apply all post-SP hotfixes applicable to the new SP," we were told.

So it's likely that our tipster either installed or reinstalled IIS after patching his system, or installed a more recent NT service pack, thereby rendering his folder traversal vulnerability patch ineffective.

MS ought really to have emphasized this in the security bulletin. To say that the patch "can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a....and on systems running either Windows 2000 Gold or Service Pack 1.0" really isn't strong enough if the patch has to be re-installed when upgrading a service pack or re-installing an application.

Indeed, the bulletin says only that "the NT4 patch cannot be installed on systems prior to SP5. (By 'cannot' [it is meant that] when you execute the patch file, it will give a popup error message and fail to install, stating that the patch won't install on that version of the installed SP)," the company explained to us.

And of course this is a separate issue from whether or not installing or re-installing an application, or upgrading a service pack, would require one to re-install the hotfix. Now we know it's necessary to do just that. It ought to have been emphasized, and we hope MS will edit their security bulletin accordingly.

Some admins may wish to re-install the IIS patch even if they're confident that they got it and everything else installed in the proper sequence. We don't believe this degree of vigilance is necessary; but patching is quite easy, and it certainly does no harm to err on the side of caution. ®

Related Links

Patch for IIS-4
Patch for IIS-5
Solaris patches
MS recommended installation sequences

Related Stories

Solaris/IIS worm hits 9000 boxes in 48 hours
Worm puts old IIS attack in full-auto mode

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.