Proof of Concept for Vulnerability in IIS -- Redmondmag.com

Proof of Concept for Vulnerability in IIS

By Jabulani Leffall
09/01/2009

The zero-day bugs just keep rolling in as Microsoft said it is investigating new public disclosure of possible vulnerabilities in Redmond's Internet Information Services (IIS) programs. The particular versions that may be affected are IIS 5.0 and IIS 6.0 where the File Transfer Protocol (FTP) may be ripe for attacks.

"We will take steps to determine how customers can protect themselves should we confirm the vulnerability," Microsoft said in a statement Tuesday, adding that it had not seen in-the-wild exploits yet.

Microsoft's announcement comes just after proof of concept code was released on the exploit discussion portal Millw0rm. According to Millw0rm, this particular bug in question exploits a hole in IIS 5.0 running on Windows 2000.

Experts say that in order for this vulnerability to be effective the host would need to be running Windows 2000 with IIS 5.0 FTP sitting on the application stack. Further the FTP server would have to be configured to allow a user to create a directory, a capability that is normally not permitted with an outbound FTP Server.

"Yes, it is an issue, but hopefully only to a small number of users. A work-around would be to set permissions on the FTP server to 'not allow' a remote user to create a directory on the FTP server," said Lumension Security and Forensics Analyst Paul Henry.

There is no word yet on whether the Millw0rm exploit and the ones that Microsoft has been made aware of are the same bugs.

Microsoft went as far as saying a patch may be available, but the investigations are ongoing.

Apparently though, the threat is clear and present as the U.S. Computer Emergency Readiness Team issued an advisory that said that it "encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability." US-Cert added: "A proper impact analysis should be performed prior to taking defensive measures."

Redmond To Force Live Messenger Upgrade

Microsoft will force an upgrade of its Windows Live Messenger instant messaging software in mid-September. It'll fix a glitch in its code library that could make the instant message application vulnerable to crashes or code manipulation.

Redmond said in a blog post that users of Messenger 8.1 and 8.5 will be required to upgrade to Messenger 14.0.8089 if they want to continue to using the app. This is part of Redmond's ongoing effort to deal with a persistent and pervasive Active Template Library (ATL) exploit that was first disclosed in late July as part of an off-cycle security advisory.

Optional upgrade offers have already started reaching Messenger 8.1 and 8.5 users, Microsoft said. Additionally there is an "or else" tone to Microsoft's notice as it says, that beginning in late October all customers using Messenger 14.0 will be required to upgrade their version of Windows Live Messenger as well.

"To ensure that we are protecting customers, those who do not administer the upgrade will not be able to sign in to Messenger after this time," the notice said.

VMware sets standards for Security in Historic Whitepaper
Going into this week's VMworld conference, there's had been lots of talk about how security will be a major concern in the world of virtual PCs, servers and applications. Yes, bugs can get up in the clouds too and can perhaps even hide better.

It's perhaps for this reason that RSA released its first comprehensive whitepaper on virtualization security, "Security Compliance in a Virtual World" (registration required to read it).

The paper said "there is no longer a one-on-one relationship between the physical host and server. Now a virtual machine can run on one of many physical hosts, while a host can run a wide variety of virtual machines. This association changes dynamically, making it difficult to keep up with changes."

In addition to just keeping out the bad guys, there are also several compliance implications to consider including Sarbanes-Oxley security standards for Virtual operating systems, Payment Card Industry data security standards for processing applications and HIPAA change management and security requirements. The paper also addressed the European Union's data-privacy rules.

The paper argues that there are IT controls considerations such as access control and segregation of duties issues that will be just as important, if not more so, in the virtual world.

Virtualization, the paper said, is still "relatively new," and represents a major shift in enterprise processing. For that reason companies, consultants and developers "need to invest time and effort in learning how to (secure it)."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.