Microsoft IIS Server Hack Could Leave Many Unprotected

A hacker has disclosed a formerly unfamiliar vulnerability in the Microsoft’s Internet Information Services (IIS) webserver that could enable attackers to seize complete control over systems running Microsoft IIS.

Proof-of-concept code released Monday has been found to offer remote root access to servers having IIS 5.0 on Windows 2000 with Service Pack 4.

However, IIS 6.0 has also been dubbed vulnerable by Nikolas Rangos, the hacker who revealed the flaw.

He suggested that IIS6 on Windows Server 2003 can be affected when a memory stack procedure, referred to as "stack cookie protection", is enabled.

The code that could help an attacker exploit the aforementioned vulnerability was posted by Rangos on the ‘Milw0rm’ website on Monday.

However, the flaw seems to be triggered only in a few circumstances, particularly when IIS is set to run the file transfer protocol (FTP) and there exists a writable folder.

Commenting upon the issue, a Microsoft spokesperson said in a statement: “The company is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP).”

The software giant asserted that it isn’t familiar with any attacks exploiting he security vulnerability yet. “We will take steps to determine how customers can protect themselves, should we confirm the vulnerability”, Microsoft added.

Our Comments

It is not surprising that so many vulnerabilities have been discovered given the complexity of those millions of lines of code. There are only a few days before Microsoft's Tuesday monthly patch session but this is unlikely to be enough for the software giant to come up with a solution.

Related Links

IIS bug gives attackers complete server control

(The Register)

Microsoft IIS Zero-Day Vulnerability Reported

(Information Week)

Microsoft Investigates IIS Zero-Day Security Vulnerability


Microsoft investigating newly reported IIS flaw


Unpatched Flaw Could Take Down Microsoft's IIS Server

(PC World)