Microsoft Denies IIS Flaw
In August, Microsoft began an investigation into IIS (Internet Information Services) after claims of a vulnerability involving the File Transfer Protocol (FTP) in IIS version 6. At the time, the Redmond giant reported that they were not yet aware of any existing attacks exploiting the flaw; however, code was posted on Milw0rm the 31st of August that reportedly exploits the flaw on any fully patched version of Win2K running IIS 5 with FTP enabled.
It didn’t take long for Microsoft to report attacks on vulnerable servers, with the first official notice released on the 4th of September. The company then said that it was working on a security update to fix the problem, but said in the meantime that users should disable various sections of the FTP protocol to help secure vulnerable systems, with US-CERT (U.S. Computer Emergency Readiness Team) suggesting that anonymous access also be disabled.
However, in a new blog post yesterday, Microsoft refuted any claims of a flaw in IIS, stating that it is only due to user error:
What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.
The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.
The company went on to say that anyone using the default configuration of IIS 6 or following the “recommended best practices” as set forth by Microsoft are not susceptible to the vulnerability. Newer versions of IIS are also not affected.
If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable.
A list of the suggested practices and more information can be found on the blog post itself.
Tip: Click here to run a free scan for common PC errors
loading...
Category: Windows 7 News, Windows 7 Security
Next Post: If You Have to Buy a Pre-packaged Windows 7 PC… »» Prev Post: Windows 7 Power Plan Assistant »»
[...] Results of Investigation into Holiday IIS Claim Microsoft Denies IIS Flaw In August, Microsoft began an investigation into IIS (Internet Information Services) after claims [...]
[...] Excerpt from: Microsoft Denies IIS Flaw | Windows 7 News [...]
[...] Microsoft Denies IIS Flaw | Windows 7 News [...]
Social comments and analytics for this post…
This post was mentioned on Twitter by appcraft2: Microsoft Denies IIS Flaw: In August, Microsoft began an investigation into IIS (Internet Information Services) aft… http://bit.ly/5gwIPG...
You have got it completely wrong, these are two different vulnerabilities: first is FTP issue (in IIS5), reported in August last year and other one is semicolon handling problem (in IIS6), discovered a week or two ago.
These two bugs has nothing to do with each other.
You have got it completely wrong, these are two different vulnerabilities: first is FTP issue (in IIS5), reported in August last year and other one is semicolon handling problem (in IIS6), discovered a week or two ago.
These two bugs has nothing to do with each other.
[...] Jason wrote an interesting post today onHere’s a quick excerpt In August, Microsoft began an investigation into IIS (Internet Information Services) after claims of a vulnerability involving the File Transfer Protocol (FTP) in IIS version 6. At the time, the Redmond giant reported that they were not yet aware of any existing attacks exploiting the flaw; however, code was posted on Milw0rm the 31st of August that reportedly exploits the flaw on any fully patched version of Win2K running IIS 5 with FTP enabled. It didn’t take long for Microsoft to report attacks on vulnerable servers, with the first official notice released on the 4th of September. The company then said that it was working on a security update to fix the problem, but said in the meantime that users should disable various sections of the FTP protocol to help secure vulnerable systems, with US-CERT (U.S. Computer Emergency Readiness Team) suggesting that anonymous access also be disabled. However, in a new blog […] [...]