MS tells users to fix

Microsoft Corp. is scrambling to alert users of its Internet Information Server (IIS) software to a serious security flaw that has recently been the topic of many on-line discussions by potential attackers.

Discussions of undisclosed security holes aren’t uncommon on Internet bulletin boards and Internet Relay Chat channels. But after Microsoft had learned that the IIS vulnerability was being openly talked about, the company launched an intense 20-hour campaign to identify an existing patch that’s supposed to fix the problem with the popular Web server software and then contact information technology managers who largely had failed to install that patch when it was first made available in August.

Late last month, Microsoft posted a new advisory about the security hole on its Web site and “strongly” urged all users of IIS 4.0 and 5.0 to immediately install the patch. “If you haven’t already applied the patch, stop what you are doing right now and install it,” said Microsoft security manager Scott Culp .

The flaw, referred to by Microsoft as a “Web server folder traversal” vulnerability, allows intruders to read and execute files on affected IIS-based Web servers by adding a specific string of characters to the end of a URL. Separate downloads are available on Microsoft’s Web site for the IIS 4.0 and 5.0 versions of the patch.

According to Culp, the hole doesn’t reveal administrative passwords, but it gives attackers the same access privileges that they would have if they logged on to the server from a keyboard. “It doesn’t make them administrators, but it makes them local users who could add, change or delete files, run executables or load additional software on the machine and run it,” he said. “It’s a serious vulnerability just the same.”

The patch that Microsoft said will plug the hole was initially developed for a different and “much less serious” vulnerability, Culp said. As a result, he noted, many systems administrators simply didn’t apply the patch the first time around. However, Culp added that Microsoft hasn’t received any reports of attackers using the flaw and said such attacks would leave evidence in IIS audit logs.

A notice about the IIS vulnerability was posted on the BugTraq security mailing list, which is located on a Web site operated by Security analyst Elias Levy, who runs Bugtraq, said the incident underscores the need to make security flaws public as soon as they’re discovered.

Mention of the IIS hole appeared recently on a bulletin board called Packetstorm, where an anonymous poster reported that the flaw allowed outsiders to execute commands on Web servers running the software. Others then tried to exploit the flaw but said they weren’t able to reproduce the results. However, a security researcher who goes by the handle Rain Forest Puppy eventually made the exploit work and reported the problem to Microsoft.

According to Culp, Microsoft exchanged data with Rain Forest Puppy for several hours while investigating the report. By 11 p.m. that night, he said, the company gathered the entire IIS development team together to start a more in-depth examination of the issue. The team worked through the night and determined by 8 a.m. the next day that the vulnerability was bonafide and that it could be fixed by the patch issued in August.

Later on, Culp said, Microsoft contacted several thousand on-site customer support workers and directed them to call corporate IIS users at home, alert them to the vulnerability and urge them to go to their offices and immediately apply the patch to protect their Web servers.

By adding extra characters to a URL, Culp said, attackers also are able to view any file stored on the same disk drive that serves up Web pages. If a server’s operating system and the IIS software are on the same drive, for example, the vulnerability allows attackers to request an operating system file and then execute it.

To guard against that happening, Culp recommended that Web folders be located on a different drive from the operating system. He also said Windows NT-based servers running IIS should be secured to ensure that Web site users who are members of the “everyone group” permission level can’t access files outside of the Web folder. “Take away all privileges that are not necessary,” he said.