WONTFIX: No patch for Windows Server 2003 IIS critical bug – Microsoft
Suggested workaround for exploited flaw: Upgrade to a non-EoL operating system
Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago.
The buffer overflow bug can be exploited to inject malicious code into a vulnerable machine and execute it, allowing an attacker to gain control of the computer. It requires WebDAV to be enabled. If you have such a machine exposed to or reachable from the internet, and you get hacked, maybe you deserve it.
On Monday, details of the vulnerability and proof-of-concept exploit code were published on GitHub: the code is attributed to "Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China."
Apparently, the "buffer overflow in the ScStoragePathFromUrl function in the WebDAV service" was "exploited in the wild in July or August 2016."
Shodan.io – a search engine for internet-facing devices – has found hundreds of thousands of servers still using IIS 6.0, and about 20,000 machines using Windows Server 2003. Not all of them will be exploitable. In any case, Microsoft has indicated it won't fix the bug.
"This issue does not affect currently supported versions," a spokesperson told The Reg. "We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection."
The vulnerability in the IIS WebDAV component allows an attacker to run code remotely on a target system by sending in an overly large 'If' header entry in a PROPFIND request. Done right and the target is pwned, but even a malformed IF header can cause a crash.
Now that a Python-written exploit has been fully published, malware operators will be quick to integrate it into attack code. According to the latest data, the US leads the world in Server 2003 R2 systems online, with China a close second, and the pickings could be rich for canny operators.
But before you rush to criticize Microsoft, it should be remembered that the R2 version is about ten years old, and mainstream support ended for it on July 13, 2010. Microsoft carried on emitting security and essential patches for the software until July 2015, but there's a limit to how long Redmond – or indeed the vast majority of software companies – will continue to support outmoded operating systems.
However, there is a fix if you're concerned, thanks to third-party patchers at ACROS Security in Slovenia. The firm has made it its business to offer alternative patches for Microsoft flaws and this one is no exception.
"Owners of these servers each have their own story, their own set of constraints to work within, and their own budgets that they would rather spend for something other than upgrading a server that works," said ACROS CEO Mitja Kolsek.
"To help maintainers of Windows Server 2003 computers block almost inevitable attacks under these unfavorable circumstances, we decided to provide them a free solution: a micropatch for CVE-2017-7269, which they can apply on their machines not only without rebooting, but also without even restarting Internet Information Services." ®