Feeds

Confusing MS security bulletin aided IIS worm

No wonder so many machines got hit

  • alert
  • submit to reddit

The essential guide to IT transformation

Exclusive: The sadmind/IIS worm, which has been defacing Microsoft IIS machines so prolifically during the past ten days, might be getting a little help from a poorly-worded MS security bulletin.

The worm infects Solaris boxes up to version 7 by exploiting the sadmind vulnerability, then scans for IIS machines susceptible to the folder traversal vulnerability which was patched last October, and then defaces the default Web page.

We were mightily impressed by the large number of IIS machines attacked by the worm, since a fix has been available for seven months. We originally chalked that up to widespread sysadmin indifference, which is often a safe bet.

But following a tip from a Reg reader who fell victim to the worm after patching his system, we had to look into other possibilities.

And sure enough, it appears to us now that if the patch and several Windows service packs (how many times have we warned you not to play with these things?) are not installed in the correct order, the patch might be useless.

According to MS's security bulletin, "the IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a. The IIS 5.0 patch can be installed on systems running either Windows 2000 Gold or Service Pack 1.0."

The wording here is quite specific, and may well have been overlooked by a number of sysadmins. It implies that it's necessary to have installed either of the NT service packs, 5.0 or 6.0a, for the patch to be effective, which is true; but it doesn't address what might happen if a system were upgraded after the patch was installed.

Thus if you (re)installed IIS, or installed a more recent service pack on an NT machine after patching the IIS folder traversal vulnerability, you must re-install the hotfix.

Our tipster believes that a recent service pack (presumably NT 6.0a) may have accidentally over-written files associated with the IIS patch, but Microsoft tested this at our request with NT pack 6.0a, and found it to be impossible. It is also impossible to over-write the patch with Win 2K SP 1.0, the company told us.

The company suggests that our user may have an unusual network configuration, which certainly is possible. The remaining possibility is that the user needed to re-install the patch after either (re)installing IIS or upgrading his NT service pack -- which is why we recommend that the patch be re-installed by everyone with doubts about their past network configuration.

As for Win 2K, "the patch may be applied to Windows 2000 with or without SP1. Specific to Windows 2000, if you install the hotfix on Gold (no SP), and then install SP1, the patch is not overwritten by SP1," Microsoft's Security Response Center told us.

However, a user "must re-apply the Service Pack and any hotfixes after installing something from original media (like after installing IIS). The same is [true] when upgrading from one SP to another SP -- you must then re-apply all post-SP hotfixes applicable to the new SP," we were told.

So it's likely that our tipster either installed or reinstalled IIS after patching his system, or installed a more recent NT service pack, thereby rendering his folder traversal vulnerability patch ineffective.

MS ought really to have emphasized this in the security bulletin. To say that the patch "can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a....and on systems running either Windows 2000 Gold or Service Pack 1.0" really isn't strong enough if the patch has to be re-installed when upgrading a service pack or re-installing an application.

Indeed, the bulletin says only that "the NT4 patch cannot be installed on systems prior to SP5. (By 'cannot' [it is meant that] when you execute the patch file, it will give a popup error message and fail to install, stating that the patch won't install on that version of the installed SP)," the company explained to us.

And of course this is a separate issue from whether or not installing or re-installing an application, or upgrading a service pack, would require one to re-install the hotfix. Now we know it's necessary to do just that. It ought to have been emphasized, and we hope MS will edit their security bulletin accordingly.

Some admins may wish to re-install the IIS patch even if they're confident that they got it and everything else installed in the proper sequence. We don't believe this degree of vigilance is necessary; but patching is quite easy, and it certainly does no harm to err on the side of caution. ®

Related Links

Patch for IIS-4
Patch for IIS-5
Solaris patches
MS recommended installation sequences

Related Stories

Solaris/IIS worm hits 9000 boxes in 48 hours
Worm puts old IIS attack in full-auto mode

Boost IT visibility and business value

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.