Confusing MS security bulletin aided IIS worm
No wonder so many machines got hit
Exclusive: The sadmind/IIS worm, which has been defacing Microsoft IIS machines so prolifically during the past ten days, might be getting a little help from a poorly-worded MS security bulletin.
The worm infects Solaris boxes up to version 7 by exploiting the sadmind vulnerability, then scans for IIS machines susceptible to the folder traversal vulnerability which was patched last October, and then defaces the default Web page.
We were mightily impressed by the large number of IIS machines attacked by the worm, since a fix has been available for seven months. We originally chalked that up to widespread sysadmin indifference, which is often a safe bet.
But following a tip from a Reg reader who fell victim to the worm after patching his system, we had to look into other possibilities.
And sure enough, it appears to us now that if the patch and several Windows service packs (how many times have we warned you not to play with these things?) are not installed in the correct order, the patch might be useless.
According to MS's security bulletin, "the IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a. The IIS 5.0 patch can be installed on systems running either Windows 2000 Gold or Service Pack 1.0."
The wording here is quite specific, and may well have been overlooked by a number of sysadmins. It implies that it's necessary to have installed either of the NT service packs, 5.0 or 6.0a, for the patch to be effective, which is true; but it doesn't address what might happen if a system were upgraded after the patch was installed.
Thus if you (re)installed IIS, or installed a more recent service pack on an NT machine after patching the IIS folder traversal vulnerability, you must re-install the hotfix.
Our tipster believes that a recent service pack (presumably NT 6.0a) may have accidentally over-written files associated with the IIS patch, but Microsoft tested this at our request with NT pack 6.0a, and found it to be impossible. It is also impossible to over-write the patch with Win 2K SP 1.0, the company told us.
The company suggests that our user may have an unusual network configuration, which certainly is possible. The remaining possibility is that the user needed to re-install the patch after either (re)installing IIS or upgrading his NT service pack -- which is why we recommend that the patch be re-installed by everyone with doubts about their past network configuration.
As for Win 2K, "the patch may be applied to Windows 2000 with or without SP1. Specific to Windows 2000, if you install the hotfix on Gold (no SP), and then install SP1, the patch is not overwritten by SP1," Microsoft's Security Response Center told us.
However, a user "must re-apply the Service Pack and any hotfixes after installing something from original media (like after installing IIS). The same is [true] when upgrading from one SP to another SP -- you must then re-apply all post-SP hotfixes applicable to the new SP," we were told.
So it's likely that our tipster either installed or reinstalled IIS after patching his system, or installed a more recent NT service pack, thereby rendering his folder traversal vulnerability patch ineffective.
MS ought really to have emphasized this in the security bulletin. To say that the patch "can be installed on systems running Windows NT 4.0 Service Packs 5.0 and 6.0a....and on systems running either Windows 2000 Gold or Service Pack 1.0" really isn't strong enough if the patch has to be re-installed when upgrading a service pack or re-installing an application.
Indeed, the bulletin says only that "the NT4 patch cannot be installed on systems prior to SP5. (By 'cannot' [it is meant that] when you execute the patch file, it will give a popup error message and fail to install, stating that the patch won't install on that version of the installed SP)," the company explained to us.
And of course this is a separate issue from whether or not installing or re-installing an application, or upgrading a service pack, would require one to re-install the hotfix. Now we know it's necessary to do just that. It ought to have been emphasized, and we hope MS will edit their security bulletin accordingly.
Some admins may wish to re-install the IIS patch even if they're confident that they got it and everything else installed in the proper sequence. We don't believe this degree of vigilance is necessary; but patching is quite easy, and it certainly does no harm to err on the side of caution. ®