eEye Digital Security Tuesday revealed that it had uncovered a buffer
overflow vulnerability in all versions of Microsoft Corp.’s Internet
Information Services (IIS) Web server software that allows remote system
level code execution.
Upon discovering the vulnerability, eEye immediately notified Microsoft’s security team and worked with the company to develop a patch.
The vulnerability exists in the code that allows an IIS Web server to
interact with Microsoft Indexing Service functionality. The .ida (Indexing
Service) ISAPI filter — installed by default on all versions of IIS — does
not perform proper “bounds checking” on user inputted buffers, which makes
it susceptible to buffer overflow attacks.
Using such a buffer overflow attack, a malicious hacker could remotely gain
full system access to any server running a default installation of Windows
NT 4.0, Windows 2000 or Windows XP and using the IIS software. The attacker
would then have the run of that server, with the ability to perform any
desired action, including installing and running programs, manipulating Web
server databases, adding, changing or deleting files and Web pages, etc.
“According to Netcraft, there are roughly 5.9 million Web servers running
IIS,” eEye said. “It is safe to say that because the vulnerability is within
a default IIS component that, at the very least, 50 percent of these servers
have the .ida extension running, making this one of, if not the single
largest vulnerability in IIS to date.”
Microsoft is working to patch Windows XP against the vulnerability before
the final version ships to customers.