Feeds

Confusing MS security bulletin aided IIS worm

No wonder so many machines got hit

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

Exclusive: The sadmind/IIS worm, which has been defacing Microsoft IIS machines so prolifically during the past ten days, might be getting a little help from a poorly-worded MS security bulletin.

The worm infects Solaris boxes up to version 7 by exploiting the sadmind vulnerability, then scans for IIS machines susceptible to the folder traversal vulnerability which was patched last October, and then defaces the default Web page.

We were mightily impressed by the large number of IIS machines attacked by the worm, since a fix has been available for seven months. We originally chalked that up to widespread sysadmin indifference, which is often a safe bet.

But following a tip from a Reg reader who fell victim to the worm after patching his system, we had to look into other possibilities.

And sure enough, it appears to us now that if the patch and several Windows service packs (how many times have we warned you not to play with these things?) are not installed in the correct order, the patch might be useless.

According to MS's security bulletin, "the IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a. The IIS 5.0 patch can be installed on systems running either Windows 2000 Gold or Service Pack 1.0."

The wording here is quite specific, and may well have been overlooked by a number of sysadmins. It implies that it's necessary to have installed either of the NT service packs, 5.0 or 6.0a, for the patch to be effective, which is true; but it doesn't address what might happen if a system were upgraded after the patch was installed.

Thus if you (re)installed IIS, or installed a more recent service pack on an NT machine after patching the IIS folder traversal vulnerability, you must re-install the hotfix.

Our tipster believes that a recent service pack (presumably NT 6.0a) may have accidentally over-written files associated with the IIS patch, but Microsoft tested this at our request with NT pack 6.0a, and found it to be impossible. It is also impossible to over-write the patch with Win 2K SP 1.0, the company told us.

The company suggests that our user may have an unusual network configuration, which certainly is possible. The remaining possibility is that the user needed to re-install the patch after either (re)installing IIS or upgrading his NT service pack -- which is why we recommend that the patch be re-installed by everyone with doubts about their past network configuration.

As for Win 2K, "the patch may be applied to Windows 2000 with or without SP1. Specific to Windows 2000, if you install the hotfix on Gold (no SP), and then install SP1, the patch is not overwritten by SP1," Microsoft's Security Response Center told us.

However, a user "must re-apply the Service Pack and any hotfixes after installing something from original media (like after installing IIS). The same is [true] when upgrading from one SP to another SP -- you must then re-apply all post-SP hotfixes applicable to the new SP," we were told.

So it's likely that our tipster either installed or reinstalled IIS after patching his system, or installed a more recent NT service pack, thereby rendering his folder traversal vulnerability patch ineffective.

MS ought really to have emphasized this in the security bulletin. To say that the patch "can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a....and on systems running either Windows 2000 Gold or Service Pack 1.0" really isn't strong enough if the patch has to be re-installed when upgrading a service pack or re-installing an application.

Indeed, the bulletin says only that "the NT4 patch cannot be installed on systems prior to SP5. (By 'cannot' [it is meant that] when you execute the patch file, it will give a popup error message and fail to install, stating that the patch won't install on that version of the installed SP)," the company explained to us.

And of course this is a separate issue from whether or not installing or re-installing an application, or upgrading a service pack, would require one to re-install the hotfix. Now we know it's necessary to do just that. It ought to have been emphasized, and we hope MS will edit their security bulletin accordingly.

Some admins may wish to re-install the IIS patch even if they're confident that they got it and everything else installed in the proper sequence. We don't believe this degree of vigilance is necessary; but patching is quite easy, and it certainly does no harm to err on the side of caution. ®

Related Links

Patch for IIS-4
Patch for IIS-5
Solaris patches
MS recommended installation sequences

Related Stories

Solaris/IIS worm hits 9000 boxes in 48 hours
Worm puts old IIS attack in full-auto mode

Boost IT visibility and business value

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.