Feeds

Microsoft IIS hole fells university server

Hackers find zero-day bug irresistible

Build a business case: developing custom apps

Updated This story was updated at 21st May 2009 05:01 GMT to include Microsoft comments refuting the university's claims that the IIS vulnerability was exploited in the attack. It was updated again at 21st May 2009 23:10 GMT to note that University officials have recanted their claims. Please see this updated story.

Hackers have wasted no time targeting a gaping hole in Microsoft's Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday.

As of Wednesday morning California time, iWeb accounts at the Muncie, Indiana-based university remained inaccessible and service wasn't expected to be restored until Thursday or Friday, Patty Lucas, a senior help desk support admin for Ball State's Computing Services said. University administrators were working with Microsoft employees to investigate and fix the break in.

About seven hours after this story was first published, a Microsoft statement refuted the claims, which university officials first aired on Tuesday on its website.

"Microsoft has investigated a public report of a targeted attack on the Internet Information Services (IIS) vulnerability addressed in Security Advisory 971492," the statement read. "Our investigation revealed that the vulnerability was not exploited to accomplish this attack. Microsoft is still not aware of attacks that are trying to use this vulnerability or of customer impact at this time."

On Monday, Microsoft confirmed what it called an "elevation of privilege vulnerability" in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning in which the US Computer Emergency Response Team said it was aware of "publicly available exploit code and active exploitation of this vulnerability."

The flaw is significant because it allows anyone with a web browser to list, access, and possibly upload files in a password-protected WebDAV folder on a vulnerable machine, according to Nikolaos Rangos, a security researcher who published his findings on Friday. The bug resides in the part of IIS that processes commands based on the WebDAV protocol.

By adding several unicode characters - specifically "%c0%af" - to a web address, attackers can trick the widely used webserver into accessing parts of the system that are supposed to be off limits to outsiders.

Microsoft's advisory correctly points out that several conditions make the vulnerability hard to exploit in some cases. For one, WebDAV is not enabled by default in IIS6, and for another, intruders would not be able to exceed the privileges of an anonymous user. By default, such accounts are not permitted to upload files to a server.

But based on Lucas's description, the Ball State hackers may have been able to do just that. Shortly after the attack, students checking their iWeb pages were greeted with a message that said they had been hacked. There are no indications any data was stolen or malicious files uploaded, she said. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?