Patch Management

New IIS flaw deemed low risk in proper configurations

December 28, 2009

Administrators following secure configuration best practices should not be at risk to a new, zero-day vulnerability in Microsoft's Internet Information Services (IIS), according to the software giant.

Jerry Bryant, senior security program manager at Microsoft, said Sunday night in a blog post that the company is investigating reports of a flaw in the IIS web server but is unaware of any active attacks.

In a Christmas Eve advisory, vulnerability tracking firm Secunia graded the bug as "less critical" and said a successful exploit could lead to unauthorized security bypass and system access. According to Secunia, the vulnerability is caused by the incorrect file handling of ASP, a web application framework that runs inside IIS.

Secunia confirmed the bug on fully patched Windows Server 2003 R2 SP2 installations that are running IIS version 6.

"This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types," the Secunia advisory said.

But Bryant said that for an attack to occur, IIS must be in a "nondefault, unsafe configuration," and an intruder would have to be authenticated with privileges to execute commands that do not comply with Microsoft guidance.

"Customers using out-of-the-box configurations and who follow security best practices are at reduced risk of being impacted by issues like this," he said.

Patrick Nolan, a handler posting on the SANS Internet Storm Center site, said Sunday that administrators still must be careful because they could unknowingly be running a vulnerable web server due to a webmaster's mistake.

"The nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts," Nolan said.

Microsoft's next round of patches are due out Jan. 12.


prestitial ad