Tag Archives: iis

MS now dismisses IIS zero-day bug reports

0
Posted by Tech Paranoia on December 30, 2009 – 10:00 am
Filed under exploit
Tagged as , ,

Microsoft has dismissed reports that there’s an unpatched critical flaw in the latest version of its webserver software.

The software giant accepts there is an “inconsistency” in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly before Xmas. Redmond said fears that the bug allows hackers to circumvent content filtering software in order to upload and execute code on an IIS server are misplaced.

This scenario would only work if IIS web servers were set up to allow both “write” and “execute” privileges from the same directory, something that would make a system vulnerable in the first place and isn’t established even in default configurations, Microsoft states. The software giant has promised to make changes to purge the inconsistent behaviour from IIS 6.

Microsoft’s nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here.

Source: The Register

Microsoft confirms IIS hole

0
Posted by Tech Paranoia on December 29, 2009 – 10:00 am
Filed under Software
Tagged as , ,

Microsoft has confirmed the security hole in its IIS web server, but hasn’t disclosed which versions of the product are affected. According to the finder of the “semi-colon bug”, versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft’s Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.

Although these conditions are not present in any standard installation, opinions about the risk levels vary considerably. Security firm Secunia considers the vulnerability a moderate threat. The Internet Storm Center has rated the problem critical and recommends that affected users take additional security precautions until a patch becomes available. An 8 basic rules plan compiled by the ISC is to assist with this task. In its first response to the vulnerability, Microsoft also suggested several links to instructions on how to ensure server security.

Source: The H Online

Microsoft IIS vuln leaves users open to remote attack

0
Posted by Tech Paranoia on December 24, 2009 – 8:02 pm
Filed under Zero Day
Tagged as , ,

A researcher has identified a vulnerability in the most recent version of Microsoft’s Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension “.asp.” By appending “;.jpg” or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it “highly critical,” vulnerability tracker Secunia classified it as “less critical,” which is only the second notch on its five-tier severity rating scale.

“Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as ‘.asp,’ ‘.cer,’ ‘.asa’ and so on,” Dalili wrote. “Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”

Secunia didn’t explain how it arrived at its assessment, but it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.

A Microsoft spokeswoman said company researchers are investigating the report. They are not aware of attacks targeting the reported vulnerability, she said.

In the absence of any official guidance, webmasters who want to workaround the potential problem should make sure that upload directories don’t have execute permissions. And web developers should ensure their applications never accept the user’s input as a file name.

Source: The Register

Five critical Windows fixes this patch Tuesday

0
Posted by Tech Paranoia on September 4, 2009 – 9:24 am
Filed under Patches, Security, Zero Day
Tagged as , ,

Five critical Windows fixes are expected to be released this patch Tuesday. As reported in The Register:

Microsoft plans to release five critical update bulletins next Tuesday, all critical, in the September edition of its regular Patch Tuesday update cycle.

However, a fix for the IIS zero day flaw is not expected to be released. Which possibly leaves certain IIS configurations vulnerable for up to another month, unless Microsoft releases an out of band patch.

The list of affected software leaves out mention of Microsoft’s IIS Web Server software, which is currently the target of exploits capitalising on a zero-day vulnerability. More specifically, the flaw involves problems in the Microsoft FTP services component bundled with IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.

The lack of mention of IIS in Microsoft’s pre-alert implies a set of patches for Microsoft’s web server software software will have to wait until at least October.

Remember to patch your servers!