June 18, 2001 3:55 PM PDT
Microsoft reveals Web server hole
As first reported by CNET News.com, the flaw occurs in a component of Microsoft's Internet Information Service (IIS) software that is installed on Web servers by default, said Marc Maiffret, chief hacking officer with eEye Digital Security, the company that found the flaw.
"Pretty much any Web server (using Microsoft software) is basically left vulnerable to attack," he said. "Any hacker can basically get system-level access, which is the highest level of access on the computer," by using a program that exploits the problem.
In a strongly worded advisory released on its Web site Monday afternoon, Microsoft told its customers to download a newly released fix and to secure their sites before the Internet underground publishes tools to take advantage of the flaw.
"Clearly, this is a serious vulnerability, and Microsoft urges all customers to take action immediately," according to the company's advisory. "Microsoft strongly urges all Web server administrators to apply the patch immediately."
The flaw affects all versions of IIS running under Windows NT, Windows 2000 and a limited-release beta version of Windows XP. That means the flaw could affect nearly 6 million sites, or 21 percent of the Web, according to a May survey by Internet researcher Netcraft.
The vulnerability lies within the code that Microsoft's IIS server uses to support indexing, a feature that speeds searching on Web servers. The module, known as the Indexing Service ISAPI Filter, does not properly check for buffer overruns, a common problem in software. Maiffret estimated that at least 50 percent of all IIS servers--about 3 million--still have the default component installed and are thus vulnerable.
Chris Rouland, director of the X-force research team at software and consulting company Internet Security Systems, agreed that systems administrators need to act quickly.
"Until the attacks become real, it's just a vulnerability," he said Monday. "But I'm sure hackers are writing exploits for this right now. I'd expect we'd see them in the next 48 hours.
"Systems administrators need to look at applying patches tonight or at the most over the next day or two."
Discovery of the server hole follows a rash of recent security incidents for Microsoft.
The company had to offer several different patches for a hole in its Exchange e-mail server after initial repairs crippled the servers they were applied to. An earlier hole in IIS was quickly exploited by online vandals. And an insurance firm that protects companies against hacker damage recently decided to boost premiums for customers who use Microsoft's Windows NT software.
Meta Group recommends that organizations couple sound management of security configurations with ongoing security research.
Using the flaw, a network attacker could gain total control of the computer on which the Web server runs.
"An attacker who successfully exploited this vulnerability could gain complete control over an affected Web server," according to Microsoft's statement. "This would give the attacker the ability to take any desired action on the server, including changing Web pages, reformatting the hard drive or adding new users to the local administrators group."
For example, an attacker who exploits the security hole could install and run programs, steal Web-based databases, modify Web sites and, in some cases, have a platform from which to attack the rest of the victim's network.
"The danger to the network really depends on how the network is set up," Maiffret said. "The Web server should be cut off from your actual organization." In cases where it's not, companies could find their entire network compromised.
A Microsoft representative said the hole does not pose a threat to server administrators who already follow strict security procedures, as outlined in Microsoft's "security checklist."
"People will not be harmed by this if they have previously followed the security checklist," said Scott Culp, security program manager for Microsoft's security response center. "Web servers sit on the Internet and let untrusted users access them, so they are always the most vulnerable pieces of your network."
Anyone using IIS should still install the patch provided by Microsoft, Culp added, even if they have followed Microsoft's security's checklist.
A Microsoft representative said the company is working to fix the flaw in the Windows XP version of the software before it is released.
Analysts said the flaw is unlikely to seriously harm Microsoft, even as it tries to push its software into more security-focused industries such as finance.
"Customer confidence is eroded when things like this come out," said Gartner analyst Victor Wheatman. "But people are tending to gravitate to Microsoft for all kinds of applications, and that will continue. This just shows they should do so with their eyes open."
Given the complexity of server software and the like, however, it's unrealistic to expect bulletproof software.
"It's just far too complicated--one new capability, one new feature can open holes in an operating system that was thought to be air-tight," Wheatman said. "Security is never done. It's part of the development process."
News.com's David Becker contributed to this report.