Feeds

Microsoft IIS hole fells university server

Hackers find zero-day bug irresistible

5 things you didn’t know about cloud backup

Updated This story was updated at 21st May 2009 05:01 GMT to include Microsoft comments refuting the university's claims that the IIS vulnerability was exploited in the attack. It was updated again at 21st May 2009 23:10 GMT to note that University officials have recanted their claims. Please see this updated story.

Hackers have wasted no time targeting a gaping hole in Microsoft's Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday.

As of Wednesday morning California time, iWeb accounts at the Muncie, Indiana-based university remained inaccessible and service wasn't expected to be restored until Thursday or Friday, Patty Lucas, a senior help desk support admin for Ball State's Computing Services said. University administrators were working with Microsoft employees to investigate and fix the break in.

About seven hours after this story was first published, a Microsoft statement refuted the claims, which university officials first aired on Tuesday on its website.

"Microsoft has investigated a public report of a targeted attack on the Internet Information Services (IIS) vulnerability addressed in Security Advisory 971492," the statement read. "Our investigation revealed that the vulnerability was not exploited to accomplish this attack. Microsoft is still not aware of attacks that are trying to use this vulnerability or of customer impact at this time."

On Monday, Microsoft confirmed what it called an "elevation of privilege vulnerability" in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning in which the US Computer Emergency Response Team said it was aware of "publicly available exploit code and active exploitation of this vulnerability."

The flaw is significant because it allows anyone with a web browser to list, access, and possibly upload files in a password-protected WebDAV folder on a vulnerable machine, according to Nikolaos Rangos, a security researcher who published his findings on Friday. The bug resides in the part of IIS that processes commands based on the WebDAV protocol.

By adding several unicode characters - specifically "%c0%af" - to a web address, attackers can trick the widely used webserver into accessing parts of the system that are supposed to be off limits to outsiders.

Microsoft's advisory correctly points out that several conditions make the vulnerability hard to exploit in some cases. For one, WebDAV is not enabled by default in IIS6, and for another, intruders would not be able to exceed the privileges of an anonymous user. By default, such accounts are not permitted to upload files to a server.

But based on Lucas's description, the Ball State hackers may have been able to do just that. Shortly after the attack, students checking their iWeb pages were greeted with a message that said they had been hacked. There are no indications any data was stolen or malicious files uploaded, she said. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.