Access/ASP/SQL Server User Group (SSW) president in Sydney Adam Cogan has described the security flaw in Microsoft's Internet Information Server, publicised last week, as the "most serious hole I've seen in IS".
Cogan estimates that "70 per cent of Australian Web sites" are using the software and, in the group's newsletter, warned members saying it will affect a fair chunk of Australian business.
"It's about as serious as it gets. When you can read code and execute unauthorised files it doesn't exactly give you a warm and fuzzy feeling; but Microsoft does respond to problems quickly by making a patch available straight away and that's what is important to us," he said.
Defending Microsoft, Cogan said the company gets a lot of media attention with security holes. A disproportionate number of people attack the company's software because it is more of a challenge than an unknown name, he said.
Microsoft has posted a notice about the security hole on its Web site, strongly urging users of IIS 4.0 and 5.0 to install the patch, which is available for download, immediately.
The company described the flaw as a "Web server folder traversal" vulnerability, which allows intruders to read and execute files on affected IIS-based Web servers by adding a string of characters to the end of a URL.
Microsoft security manager Scott Culp pointed out the patch was available in August but many IT managers failed to install it when it was first made available.
"If you haven't already applied the patch, stop what you are doing right now and install it," he warned.
Admitting the patch being used to plug the hole was initially developed by Microsoft for a different and "much less serious" vulnerability, Culp said this is the reason it wasn't applied by systems administrators the first time round.
He said attackers are able to view any file stored on the same disk drive that serves up Web pages simply by adding extra characters to a URL.
If a server's operating system and IIS software are on the same drive the vulnerability allows attackers to request an operating system file and then execute it.
To ensure this doesn't happen Culp recommended Web folders be located on a different drive to the operating system.
He also said Windows NT-based servers running IIS should be secured so Web site users who are members of the "everyone group" permission level cannot access files outside the Web folder.
"Take away all privileges that are not necessary," Culp said.
There was plenty of online discussion about the hole by potential attackers last week when it was posted on a bulletin board called Packetstorm.
It was also posted on the BugTraq security mailing list, a Web site operated by SecurityFocus.com.