Report: Attackers exploit IIS hole to breach university server

Updated 6 p.m. PDT with Microsoft comment.

It apparently didn't take long for hackers to try to take advantage of a zero-day hole in Microsoft Internet Information Services (IIS).

Ball State University in Muncie, Ind., told The Register that servers running the program were breached on Monday, the same day Microsoft warned the public about the vulnerability.

Students accessing their iWeb pages on Monday saw messages saying the system had been hacked, The Register reported on Wednesday. There is no evidence data was stolen or malicious files uploaded, however the iWeb accounts were expected to be offline until Thursday or Friday, according to Patty Lucas, a senior help desk support administrator for the university's computing services department.

Microsoft, meanwhile, said it has investigated a public report of a targeted attack on the IIS hole, but did not specify whether it was the Ball State University breach that was looked into.

The investigation "revealed that the vulnerability was not exploited to accomplish this attack," a Microsoft spokeswoman wrote in an e-mail late on Wednesday. "Microsoft is still not aware of attacks that are trying to use this vulnerability or of customer impact at this time."

The computing services department referred a call from CNET News on Wednesday afternoon to the communications department, which was already closed for the day.

The security vulnerability could allow an attacker to gain access to a location that typically requires authentication by using a specially crafted anonymous HTTP request, according to the Microsoft security bulletin. The problem exists in the way that the WebDAV extension for IIS handles HTTP requests.

According to a posting to the Full Disclosure security e-mail list on Friday, the IIS security vulnerability was discovered on May 12 by Nikolaos Rangos.

[monkeyfun14]

Funny thing is if nothing was ever said as I stated before this probably would of never happened isn't the media just lovely?

[Vegaman_Dan]

It's a problem that all OEM's face when it comes to this. Do you publically disclose that there is a vulnerability when there is a chance that if you do, that someone will exploit it, or keep it hidden from public knowledge and patch it without telling anyone or admitting to a problem? One is more honest but vulnerable, the other is more sneaky and dishonest, but probably safer. It's an ethical question that has no right answer.

[Random_Walk]

No, the reality is that someone would have found it anyway, exploited the crap out of it, and then after much damage had been done would word get out... just like the old days.

After all, someone had to discover it, then report it to Microsoft (or submit a fix request if it was internal), no?

[Jimmu411]

Doesn't the article state that the zero-day exploit was not used for the break in? It looks like the article was patched with new info, but the headline wasn't?

[ti99_forever]

It it just sickening that years after Microsoft committed itself to better security (and better coding practices) that there are still so many issues, and many of them still buffer overflow problems.

Thanks K&R!

[monkeyfun14]

No OS is perfect Linux and OSX have their share of vulnerabilities

[KeithFromDG]

The reported fails to mention that WebDAV has to manually be enabled by the person that deployed IIS. WebDAV is disabled by default. In addition WebDAV is NOT required for most of hosted sites on IIS or whatever. For more details on WebDAV: http://www.webdav.org/other/faq.html#Q2
Also, keep in mind that this is first security issues IIS has had in about 2 or more years. I dont think that constitues a like of effort on the part of Microsoft.

[dmancini1979]

Nothing worse than a loose IIS Hole

[rmva]

Also that this applies to IIS 6, but not IIS 7.

I have read about this problem for awhile. Then I was attacked. My computer would not do anything. I counldn't get into IE. I had to clean drive c and reinstall vista ultimate. Is there something I can do to stop this. This is the second time it has happened. I am protected with anti virus, but it seems the hackers have found a way around that, which is of no surprise to me. I don't open emails I don't recognize. What can I do. You could email me at randcpeck@frontiernet.net. I did see something that Microsoft put out, but I am not sure how to follow the instructions.