IIS Flaw "Most Serious Hole"- Aussie User Group

Access/ASP/SQL Server User Group (SSW) president in Sydney Adam Cogan has described the security flaw in Microsoft's Internet Information Server, publicised recently, as the "most serious hole I've seen in IS."

Cogan estimates that "70 per cent of Australian Web sites" are using the software and has issued a warning to members in the group's newsletter adding it will affect a fair chunk of Australian business.

"It's about as serious as it gets. When you can read code and execute unauthorised files it doesn't exactly give you a warm and fuzzy feeling; but Microsoft do respond to problems quickly by making a patch available straight away and that's what is important to us," he said.

Cogan said Microsoft gets a lot of media attention with security holes because of a disproportionate number of people attacking the company's software because it is more of a challenge than an unknown name.

Microsoft has posted an advisory about the security hole on its Web site strongly urging users of IIS 4.0 and 5.0 to immediately install the patch, which is available for download.

The company described the flaw as a "Web server folder traversal" vulnerability, which allows intruders to read and execute files on affected IIS-based Web servers by adding a string of characters to the end of a URL.

Microsoft security manager Scott Culp pointed out the patch was available in August but many IT managers failed to install it when it was first made available.

"If you haven't already applied the patch, stop what you are doing right now and install it," he warned.

Admitting the patch being used to plug the hole was initially developed by Microsoft for a different and "much less serious" vulnerability Culp said this is the reason by it wasn't applied by systems administrators the first time round.

He said attackers are able to view any file stored on the same disk drive that serves up Web pages simply by adding extra characters to a URL.

If a server's operating system and IIS software are on the same drive the vulnerability allows attackers to request an operating system file and then execute it.

To ensure this doesn't happen Culp recommended Web folders be located on a different drive from the operating system.

He also said Windows NT-based servers running IIS should be secured so Web site users who are members of the "everyone group" permission level cannot access files outside the Web folder.

"Take away all privileges that are not necessary," Culp said.

There was plenty of online discussion about the hole by potential attackers last week when it was posted on a bulletin board called Packetstorm.

It was also posted on the BugTraq security mailing list a Web site operated by SecurityFocus.com.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about MicrosoftSecurityFocusSSW

Show Comments