December 28, 2009

New IIS flaw deemed low risk in proper configurations

Administrators following secure configuration best practices should not be at risk to a new, zero-day vulnerability in Microsoft's Internet Information Services (IIS), according to the software giant.

Jerry Bryant, senior security program manager at Microsoft, said Sunday night in a blog post that the company is investigating reports of a flaw in the IIS web server but is unaware of any active attacks.

In a Christmas Eve advisory, vulnerability tracking firm Secunia graded the bug as "less critical" and said a successful exploit could lead to unauthorized security bypass and system access. According to Secunia, the vulnerability is caused by the incorrect file handling of ASP, a web application framework that runs inside IIS.

Secunia confirmed the bug on fully patched Windows Server 2003 R2 SP2 installations that are running IIS version 6.

"This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types," the Secunia advisory said.

But Bryant said that for an attack to occur, IIS must be in a "nondefault, unsafe configuration," and an intruder would have to be authenticated with privileges to execute commands that do not comply with Microsoft guidance.

"Customers using out-of-the-box configurations and who follow security best practices are at reduced risk of being impacted by issues like this," he said.

Patrick Nolan, a handler posting on the SANS Internet Storm Center site, said Sunday that administrators still must be careful because they could unknowingly be running a vulnerable web server due to a webmaster's mistake.

"The nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts," Nolan said.

Microsoft's next round of patches are due out Jan. 12.


Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.