Microsoft reports attacks using IIS vulnerability

A vulnerability in Microsoft's software for housing Web sites is now being used for "limited attacks" on the servers it's running on, the company said Friday.

Microsoft disclosed the Internet Information Services (IIS) vulnerability on Monday and said Friday it's still working on a security update to fix the problem. In the meantime, the advisory has instructions for a workaround, including disabling various elements of the vulnerable FTP (File Transfer Protocol) service to upload and download files.

According to the advisory, the vulnerability could let somebody run arbitrary code on a server using FTP on IIS 5.0 and conduct a denial-of-service attack using FTP on IIS 5.1, 6.0, and 7.0. The present version 7.5 isn't affected, though, and FTP 7.5 can be downloaded and installed on IIS 7.0 to protect it.

"Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits," said Alan Wallace, senior communications manager for Microsoft's security response communications team, in a statement.

Initially, the company said it was investigating a vulnerability only with versions 5 and 6 of IIS.

[WinNoMo]

Whether or not other operating systems are more or less vulnerable than MS is debatable. Whether or not other operating systems are being targeted more or less than MS is not. This among many other reasons is why I have chosen to abandon MS products at least for now. So far, I have not regretted it.

[shycelticwitch]

Ditto

[gertruded]

Others of have also abandoned MS products in the last few years for the same reason. My home is now MS free. With a little effort, Ubumtu can be used instead. There is a learning curve to using Ubuntu, but mostly because it is different than Windows, not because it is harder to use.

[Vegaman_Dan]

This is an excellent point because Ubuntu, Linux and even OS X are perfect and immune to any vulnerabilities.

. . .

[EvanSei]

@Vegaman_Dan
most not all but I yes excellent point

[BingItOn]

Ubuntu Security:

Just keep ckilcking next and Prev and you will forget about using it. Below is just by date you can see how frequently vulnerabilities are found. List it long I cannot copy paste.

Jun 15: http://www.linuxsecurity.com/content/view/149088/
Jun 22: http://www.linuxsecurity.com/content/view/149193/
Jun 24: http://www.linuxsecurity.com/content/view/149224/
May 11: http://www.linuxsecurity.com/content/view/148817/
May 07: http://www.linuxsecurity.com/content/view/148805/

CRAPple Security:
http://news.cnet.com/8301-1009_3-10154662-83.html
The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years

http://news.cnet.com/8301-13579_3-10187192-37.html
The average selling price of a Mac desktop in the U.S. over the last six months was $1,503, while the average selling price of a Mac notebook was $1,493. Windows customers paid an average of $545 for their desktops over the last six months, while they paid $637 for their notebooks.

http://news.cnet.com/8301-1009_3-10199652-83.html?tag=mncol;posts
Safari hole exploited in seconds at security conference

http://i.gizmodo.com/256768/mac-os-x-less-secure-than-vista

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072959

http://www.zdnet.com.au/news/security/soa/Mac-OS-X-hacked-under-30-minutes/0,130061744,139241748,00.htm

http://blogs.zdnet.com/security/?p=2941


http://www.wired.com/gadgetlab/2009/09/security-snow-leopard

[gabeheim]

Bing (Can you sing white christmas?):

You forgot to mention the common sentence in each of the Ubuntu security posts:

The problem can be corrected by upgrading your system to the
following package versions:


Where's that announcement for the IIS bug? Or for the zero day exploits MS let lag for months at a time (even over a year)? How many vulnerabilities do you suppose will pop up if MS were to open source their code, some of which may currently be exploited now by criminal enterprises without MS' or anyone else's knowledge? Unless it's hello world (even that can have vulnerabilities if coded wrong...) any large bit of code is likely to have vulnerabilities. closed source only hides vulnerabilities from the "white hats", the black hats know how to find them. Doesn't help either that MS hires a large number of H1-B works that can easily disappear back in their home country after selling MS secrets...

[BingItOn]

Goto http://www.linuxsecurity.com/ and search for Zero Day in search
or
http://www.linuxsecurity.com/index.php?option=com_search&Itemid=99999999&searchword=Zero+day&searchphrase=exact&ordering=newest&sectionid=0

and satisify your thrust for knowledge I got 35 results talking about this issue.

for IIS (Apache):
http://www.bing.com/search?q=Apache+Vulnerabilitie ( 1,290,000 results)
on LinuxSecurity

http://www.linuxsecurity.com/index.php?option=com_search&Itemid=99999999&searchword=Apache Vulnerabilitiesy&searchphrase=exact&ordering=newest&sectionid=0


I hope this helps you a lot

Your attack on H1B visa holder is uncalled for. I understand you are frusturated with CRAPple but that's okay, as long as you are ready for change your mind, you need Open mind don't talk about open source. Welcome to 21st century.

[TheAppleGuy]

@gabeheim I am not fig MS fan but since you asked (open issue not fixed)

http://www.linuxsecurity.com/content/view/149936/169/
A hacker has discovered a critical vulnerability in open-source firmware available for wireless routers made by Linksys and other manufacturers that allows attackers to remotely penetrate the device and take full control of it. The remote root vulnerability affects the most recent version of DD-WRT, a piece of firmware many router users install to give their device capabilities not available by default. The bug allows unauthenticated users to remotely gain root access simply by luring someone on the local network to a malicious website.
"This means someone can even post some crafted [img] link on a forum and a dd-wrt router owner visiting the forum will get owned," a user named Leka Vecher "gat3way" wrote in this posting to Milw0rm. "A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I would say."

I feel MS is open to disclose vulnerabilities unlike my beloved Apple and linux.

[Vegaman_Dan]

Okay kids, let's just say that all the various OS choices have their own particular issues and move along, shall we?

[seven7dust]

this whole marketshare myth seems to have gotten out of hand
for the record Mac OS7- OS9 had plenty of viruses even though
they had only 2% marketshare at the time {OSX share is now more close to 7%}
also
the marketshare myth would explain why windows has more viruses than the OSX
but it doent explain why they are absolutely no viruses { remember a virus self-replicates }
and I'm not even taking about spyware and adware which my biggest problem with windows in general

the advantage overall is on a mac you dont need a whole bunch of
security related tools to keep it up and running smoothly,
despite what vulnerabilities exist the
the likelihood of it causing harm to my mac is close to zero ,
cause they are either trojans which require user interaction to install
or require hackers with skill levels close to Charlie Miller etc.
it may be also becasue of market share , but who cares what the reason is !

[ittesi259]

My question is how long has MS known about these exploits....they don't have a good track record for fixing things in a timely manner. If a "security researcher" found it and immediately posted it then MS can't be held to blame unless they've had some time to work it out.

[Seaspray0]

Depending on the severity of the vulnerability and whether it is currently being exploited, they can and have issued patches within a few days of the exploit. For those that are not currently being exploited or deemed a low risk, they tend to issue those on patch tuesday every month. Often, they have a workaround until the patch is released (as is the case here), but those workarounds could affect functionality for some people.

They are going to treat vulnerabiilties on a "triage" basis like everyone else. Fix the critical ones and the ones currently being exploited first, then fix the others.

[DrtyDogg]

It wasn't found by a researcher, but a hacker who immediatley posted it to a hacker forum. As far as MSFTS track record on patches, the last study showed them to be of the fastest in the OS business.

[santuccie]

I concur with DrtyDogg. Comparative timelines have revealed that Apple is the slowest "in the business" to patch bugs. The open source community might be quicker than MS, but that's just the way it goes when it's open to everyone, and not just to a single corporation. The Encyclopedia Britannica is a lot older than the Wikipedia, but which is bigger? The Wikipedia is bigger... MUCH bigger. How many versions of Windows are there, and how many Linux distros? Enough said.

[DrtyDogg]

The work-around seems more like best practices. Do not allow anon write acces, do not allow anon folder creation. . .

[ClaBR]

Agreed. Anonymous write access to a ftp server is just plain careless.
With anonymous FTP ANY server (Windows, Mac, Unix, Linux, etc) is vulnerable to a DoS attack simply by filling up all storage available so that no one else will be able to upload files.

[Vegaman_Dan]

Should be an interesting idea if someone decides to configure their server to anon FTP uploads on thieir Mac or Linux box, then publicizes it. See what happens. I'm curous.

Will anyone here be willing to take the challenge of putting their server up as a guinea pig? Shycelticwitch?

[gabeheim]

Vegaman, there is quite a difference between graceful (or even non-graceful degradation) and a stack buffer overflow. Quite a large difference. Better to have the server halt due to a DoS than to have it execute who knows what remote instructions. Especially a server running IIS, SQL Server, etc.

What happens if an attacker gets credentials of someone authorized to upload to the server, such as a web developer uploading content? Particularly since FTP is very vulnerable. Would the system still be vulnerable to the same overflow? Unless the code is in a handler specific to anon access, then I would say it is probably still vulnerable.

[gabeheim]

Actually, yes, if an attacker gleans credentials from any user allowed to write (even a non-privileged user), then he can execute the exploit. According to CERT:

[QUOTE]
IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.[/QUOTE]

This is a pretty bad one. You don't even need credentials to write, if you know your target well, just spoof an email and have them upload it for you. "Hi this is your boss, can you upload the files in this zip archive so our client can access them? Emailed attachments are not getting through to them"

I am willing to bet the vulnerability is in 7.5 as well, just harder to exploit due to some of the stack hardening in newer binaries on most OS's. Otherwise, MS would have caught this earlier.

[Vegaman_Dan]

Sounds like we have a valid test to try then. Will someone open up an anon FTP server out there and post the address for you all to try your hand at it on different OS platforms?

[EWAN22]

adsrevenue : useing ISO, UTF-8, Burglarized the net,and pc , I thank,,,,Need to lock the doors , need the FCC to take the door back from the adsrevenue, stop bad Encoding

[jscott418]

At least Microsoft admits to flaws. I don't see many at Apple even admitting they could have holes. At least until they release a ton of fixes that took months to do. Just another blind Apple fan who believes his beloved Apple not nothing can happen to them. I can remember when Windows user's believed the same thing. I think your pretty dumb to believe Apple. Linux is so low in usage who in their right mind would target such a small user group. But then again it's such a crappy old school operating system. Who can blame them.

[seven7dust]

the thing is the flaws in windows get exploited while those on OSX don't !
this may be beacause of the unix foundation or the marketshare
but for whatever reason you won't see a conflicker type of attack on the mac platform
vulnerabilities yes but major security risks affecting millions of macs everyday ,never

[DrtyDogg]

To be fair Seven7dust, conficker should have never happened on Windows either, as the fix preceded the exploit. And a vulnerability is a risk.

[pierregau]

Use the (free) TrustLeap G-WAN web server instead of IIS:

- G-WAN is faster (in user-mode) than IIS 7.0 (in the kernel),
- G-WAN ANSI C scripts are 5x faster than IIS 7.0 ASP.Net C#,
- G-WAN is light (108 KB) while IIS 7.0 weights 501 MB,
- G-WAN is portable, IIS is not portable.

So far, G-WAN has never exposed security holes.