Feeds

New IIS attacks (greatly) expand number of vulnerable servers

Microsoft's webserver even easier to exploit

Reducing security risks from open source software

Attackers have begun actively targeting an unpatched hole in Microsoft's Internet Information Services webserver using new exploit code that greatly expands the number of systems that are vulnerable to the bug.

In an updated advisory published Friday, Microsoft researchers said they are seeing "limited attacks" exploiting the vulnerability, which resides in a file transfer protocol component of IIS. Exploit code publicly released in the past 24 hours is now able to cause vulnerable servers to crash even when users don't have the ability to create their own directories.

That means the bug, for which there is no patch, is easier to exploit than previously thought. In an earlier advisory, Microsoft said attacks only worked when untrusted users had write access to directories. For the moment, Microsoft continues to say that IIS5 running on Windows 2000 appears to be the only version that is vulnerable to attacks that can remotely execute malicious code on an underlying server. But it's now clear that hackers can target every version of IIS to cause denial-of-service attacks.

Microsoft said Thursday that it planned to issue five security updates for next week's Patch Tuesday. None of the affected software listed in the limited disclosure included IIS, so users shouldn't expect a fix then. Microsoft has said only that it plans to issue a patch as soon as one is ready.

In the meantime, IIS users should follow workarounds that include turning off FTP if it's not needed (in more recent versions it's disabled by default), or at the very least, blocking FTP access to unauthenticated users.

The bug is exploited by listing directories with specially manipulated names that trigger a buffer stack overflow in the application. The new exploit code is able to cause IIS6 systems to crash, but Microsoft makes no mention those systems can be further compromised. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.