Some Wicked Script This Way Comes

Microsoft is in deep this week with a vulnerability in the software
giant’s Internet Information Server (IIS) 4.0 and 5.0 Web server software, which runs on over four million Web
sites.


The flaw allows users to execute files on Web sites by requesting a specific
Web address. Microsoft released a bulletin about the problem Tuesday, urging
customers to patch its systems.


Essentially, the dangerous code allows a user with a special URL to access
any files on a Web server. IIS is supposed to prevent requests for any file
that’s not meant to be displayed on a Web page.


But if a savvy user includes special characters in the URL, an attacker is
able to bypass the filter meant to prevent such requests. Ultimately, the
intruder can view any file that’s sitting on the hard drive that delivers
Web pages.


While there have been no reports of the hole being plundered and exploited,
it’s possible Web sites have been attacked using it for some time.


And, no one is quite sure how long this breach has been in the wild even
after the problem was first brought to Microsoft’s attention on Oct. 10 on
the security forum Packetstorm, although Beijing’s Network Security Focus
says it has known about the problem for a while.


When asked about the use of a modified URL to access the server, Russ
Cooper, editor of the NT BugTraq security discussion list, said he wouldn’t
be surprised that such bypass scripts are passed around.


“The scripts I’m sure have already been written and I’m sure that there are
tools that get passed around that probably already include methods of
exploiting or at least tests to see whether you can exploit this on a Web
server so, yes, I would say those tools exist,” said Cooper.


“I wouldn’t say that they are being usely widely at this point. I think this
will become one of the standard ways that scripts will try to see whether or
not they can get in.”


Cooper was somewhat diplomatic, but this is not a case of much ado about
nothing because URL’s have been tinkered with before to gain access to
businesses. Last week, buy.com was the victim of curious users who used the
coding of a URL to gain
access
to peoples’ personal information.


Pete Privateer, president of Pelican Security, said the situation for Microsoft was the “same old thing” that has been happening for years.


“Of course Microsoft is a high-profile target — it is ubiquitous,” Privateer said. “Hackers will attack whoever has the greatest market share and penetration. I saw it a few years ago when people found a lot of bugs in UNIX servers. No server has iron-clad security and people should not overlook the ingenuity of man.”


Privateer also said that while much is made about security flaws in servers and software, the desktop breaches often prove to be the most damaging.


“Don’t overlook what can happen on the client-side,” Privateer said. “Flaws are just as strong on the desktop as they are on servers and software. The ‘Love’ virus cost people between $10 and $15 billion in damage — all on the client-side.”


Additional reporting for this story was contributed by Brian McWilliams, host of InternetNews Radio.

News Around the Web