Pressure increasing for Microsoft to patch IIS 0 day
The other day ISC Handler Guy Bruneau posted a Diary pointing to a "Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug). Secunia has confirmed the vulnerability "on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected". It should be mentioned that if you don't think you're vulnerable because you are running a non-vulnerable version of IIS, the vulnerable functionality may have been made available by your webmaster when deploying IIS.
After reading up on related posts and IIS issues, the nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts.
No response yet from Microsoft that I see, I would expect significant customer pressure is on Microsoft to correct this vulnerability in the January patch cycle.
UPDATE v2 12/28/2009 15:32 UTC
Wondering about whether or not your IIS deployments are at "reduced risk" for abuse of the IIS 0day vulnerability because you have "out of the box" deployments built using "best practices"? The original post on the 0day mentioned one workaround, "For Webmasters: Remove “execute” permission from the upload directories (folders)". MSDN blogger David Wang had an interesting article elucidating some aspects of IIS "upload" and "execute" issues, see "The long answer" section of his "Why can I upload a file without IIS Write Permission?" blog. His short answer? -
"The user just failed to configure what he thinks he configured, and IIS can do nothing to save you from your own misunderstanding...".
- Anyone that has information on any signature development please add a comment to the Diary.
- If your servers running IIS spontaneously reboot drop us a note on what you find.
Comments