Older Microsoft Web Servers Pose Zero Day Risk

Microsoft issued a Security Advisory warning this week related to its Internet Information Server (IIS). The advisory notes there’s a vulnerability in the way the Web server handles certain types of HTTP requests that could leave versions 5 and 6 of the servers open to serious attacks.

In fact, the U.S. Computer Readiness Team (US-CERT), a branch of the Department of Homeland Security, announced that proof-of-concept code for the security hole is already circulating on the Web. While no attacks have occurred in the wild yet, though, the fact that code for an attack is already floating around the Internet means the flaw constitutes a zero-day vulnerability.

That said, in its Security Advisory, Microsoft (NASDAQ: MSFT) said that the problem is not as serious as it might have been due to default settings that protect many servers.

“Web-based Distributed Authoring and Versioning (WebDAV) is a set of HTTP extensions that allow collaborative management and editing of files collected on remote servers. The way that Microsoft IIS’s implementation of WebDAV handles unicode tokens may allow authentication bypass,” said a statement on US-CERT’s site.

In its advisory, Microsoft pointed out that sites that are at risk are ones which have an “anonymous” user account configured on the system. By default, though, such accounts are blocked from completely exploiting the hole because the anonymous account is still constrained by the Windows file system’s access control lists, or ACLs, which can keep a fraudulent user from writing to the server.

For those at risk, a successful attack would begin with IIS receiving a rigged URL to process, which enables the anonymous account to bypass authentication. Even then, many servers would not wind up completely under the control of the malicious code — but attackers may be able to read files on the server.

Microsoft hasn’t yet decided how to fix the defect, according to the advisory. In fact, IIS 7, the current version, is not at risk.

The affect on SharePoint

In the meantime, if an IIS 5 or 6 server doesn’t need to support WebDAV, both Microsoft and US-CERT recommend disabling it. However, US-CERT points out that disabling WebDAV “may affect the functionality of other applications such as SharePoint.”

One security expert was philosophical about the latest hole, especially in light of Microsoft’s regular monthly patch releases.

“This is only the third vulnerability we’ve seen in IIS since October of 2004 (last issues were Feb 2008 and July 2006) – IIS has been pretty secure over the last few years (unlike the years 2000-2004 where we saw numerous bulletins, patches, and exploitations such as code red and nimda),” Eric Schultze, CTO of Shavlik Technologies, told InternetNews.com in an e-mail.

“This flaw appears to me much more serious for customers running IIS 5 (Windows 2000) because the vulnerable WebDAV services are running by default. IIS 6 (Windows Server 2003) doesn’t enable WebDAV by default,” Schultze said.

“I recommend people running IIS 5 or IIS 6 run the IIS Lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day,” he added. (Note: both tools are available via links in Microsoft’s advisory.)

Alex Goldman contributed to this report.

News Around the Web