New Microsoft IIS Zero-Day Vulnerability

Today (May 19, 2009) Microsoft released a security advisory for Microsoft IIS Servers. This flaw can enable attackers to read sensitive files on the webserver by submitting a specially crafted URL to the IIS server.

This is only the third vulnerability we’ve seen in IIS since October of 2004 (last issues were Feb 2008 and July 2006) – IIS has been pretty secure over the last few years (unlike the years 2000-2004 where we saw numerous bulletins, patches, and exploitations such as code red and nimda).

This flaw appears to me much more serious for customers running IIS 5 (Windows 2000) because the vulnerable WebDAV services are running by default. IIS6 (Windows Server 2003) doesn’t enable WebDAV by default.

It is unclear what level of access may be granted to an attacker via this exploit as it all depends on how the webserver has been configured and how the file system security has been applied to the data on the webserver. In a default configuration (and I would gather most installations), this flaw might allow the attacker to read certain files on the webserver, but would not allow them to write any files. If the attacker us unable to write any files to the webserver, it’s far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server. One note of caution – this flaw could enable attackers to read code pages on the webserver, where these pages might include usernames or passwords for applications or databases controlled by the webserver.

Shavlik recommends people running IIS5 or IIS6 run the IIS Lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: