Microsoft Rushes to Patch FTP Hole in IIS

Microsoft sent out a Security Advisory late Tuesday warning users of a critical zero-day flaw in older versions of its Internet Information Services (IIS) Web server software.

Although Microsoft (NASDAQ: MSFT) said in the advisory that to date it knows of no active attacks in the wild, the company said it has seen “detailed exploit code published on the Internet.”

“We’re currently investigating the issue as part of our Software Security Incident Response Process and working to develop a security update … [which] will be released once it reaches an appropriate level of quality for broad distribution,” Alan Wallace, senior communications manager, said in a posting on the Microsoft Security Response Center blog.

Tuesday’s advisory warns users about a hole in the file transfer protocol (FTP) functions of IIS 5.0, 5.1, and 6.0. Using the FTP service to retrieve files from a server by typing at the command-line prompt is a popular method for more technical users to handle files stored on Web servers.

Later versions of IIS — specifically, IIS 7.0 and 7.5 — are not affected, according to the advisory. The affected versions of IIS came with Windows 2000 Service Pack 4 (SP4), Windows XP SP2 and SP3, and Windows Server 2003 SP2, including both 32-bit and 64-bit editions. Windows 7 and Windows Server 2008 are not affected.

The company has published a workaround and is working on a security patch.

The workaround entails an administrator changing file system permissions so that FTP users are not allowed to create new directories or write to FTP directories as anonymous users. The down side is that users will not have access to FTP until a patch is released.

However, if the recent past is any indicator, a full fix is unlikely to be completed and thoroughly tested in time for next week’s “Patch Tuesday” bug fix drop.

The majority of Microsoft’s patches come as part of its monthly Patch Tuesday update, which takes place on the second Tuesday of every month.

Scheduled updates provide predictability for corporate customers, but they could mean a short lag in cases when a flaw is discovered too late to make it into the next Patch Tuesday update roundup. In those instances, Microsoft will release a rare update outside of its usual Patch Tuesday schedule.

It’s unclear whether this latest bug is serious enough to prompt such a so-called “out-of-band” patch.

While out-of-band patches are uncommon, Microsoft issued two such updates in late July, when it released fixes to block potentially nasty attacks against Internet Explorer (IE) plug-ins and other programs constructed using a technology called the Active Template Library, or ATL.

That release came about due to the imminent release of details on how to exploit the bugs: Researchers attending the Black Hat Las Vegas security conference planned to demonstrate the bugs. Their presentation wound up taking place the day after Microsoft released its patches.

News Around the Web