Microsoft to patch IIS bug

Company confirms that IIS 5 and IIS 6 are affected by new attack that exploits a critical flaw in the FTP software used by IIS

One day after a security researcher published attack code for a flaw in Microsoft's IIS server software, Microsoft said it plans to patch the issue.

Microsoft also released a security advisory describing the problem and detailing technical workarounds that system administrators can implement while they're waiting for a patch. "We’re currently investigating the issue... and working to develop a security update," Microsoft said in a note on its Web site. " This update will be released once it reaches an appropriate level of quality for broad distribution."

[ Are you up to snuff in your security regimen? Get your defenses in tip-top shape with InfoWorld's Security Boot Camp, a 20-lesson course via e-mail that begins Sept. 21. ]

Microsoft's next set of security patches is due Sept. 8. It's not clear if the company will be able to develop and test its IIS (Internet Information Services) patch in time for that update, however.

The attack code was published Monday by Nikolaos Rangos, who said he did not notify the software company of the issue ahead of time. Rangos's attack is considered to be very reliable on IIS 5 systems and could be used to run unauthorized software on the server.

The flaw lies in the FTP (File Transfer Protocol) software used by IIS, and is considered to be a critical issue for users of the older IIS 5 product. IIS 6 users are also affected, but they are at reduced risk because of the way IIS 6 was compiled, Microsoft said in its advisory. "This does not remove the vulnerability but does make exploitation of the vulnerability more difficult."

Users who are using the more-recent IIS 7 or who are not running the FTP service are not affected, Microsoft said.

Even for IIS 5 and 6 users, there's another mitigating factor: "Affected systems are not vulnerable unless untrusted FTP users are granted write access. By default, FTP users are not granted write access," Microsoft said.

Although nobody has yet reported real-world attacks using Rangos's code, security vendor Symantec said Tuesday that "many systems will be vulnerable across the internet and that in-the-wild attacks will occur."

Another security company, Secunia, rates the flaw "moderately critical."

Last May, Web analytics firm Netcraft counted 2.8 million sites still using the IIS 5 software, but it's not clear how many of them would have the FTP set-up that would make them vulnerable to this attack.


Copyright © 2009 IDG Communications, Inc.