Microsoft warns of IIS zero-day vulnerability

By Robert Westervelt, News Editor 19 May 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Microsoft is warning of an IIS zero-day vulnerability in Microsoft Internet Information Services (IIS) Web server, which if successfully exploited, could give an attacker elevated privileges to gain access to sensitive data.

Microsoft said a remote authentication bypass vulnerability exists in the WebDAV extension, a collection of tools used to publish content to IIS Web servers. The Web server does not properly decode a requested URL. An attacker can exploit the flaw by creating a specially crafted anonymous HTTP request to gain access to a location. Microsoft said the hack typically requires authentication.

Microsoft IIS versions 5.0-6.0 are affected. The software giant said it is unaware of any known attacks against the flaw in the wild. But the U.S. Computer Emergency Response Team issued an advisory warning on Monday that it is aware of publicly available exploit code and active exploitation of the vulnerability.

As a workaround, users can disable WebDAV functionality, Microsoft said. Users can also deny file system access control lists for anonymous user accounts or use NTFS access control lists to control access to resources on the server.

"Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Christopher Budd, the security response communications lead for Microsoft said in a statement.

The flaw was discovered by security researcher Nikolaos Rangos, who posted details to the Full Disclosure security mailing list. In his IIS advisory, Rangos said the flaw enables attackers to bypass password protected folders and upload or download files into a password protected WebDAV folder.

In its 971492 security advisory, Microsoft downplayed the severity of the flaw explaining several security features that must be bypassed to successfully exploit the flaw.

Microsoft said an attacker cannot exceed the level of access granted to the anonymous user account since the IIS file system verifies whether a file is accessible by a given user. Also, the anonymous user account only has read access. Microsoft said the WebDAV extension is not enabled in the default configuration, meaning that many organizations may not be using it.

Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating.

Tags: Database Security Tools and Techniques,  Secure Coding and Application Programming,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Tools and Techniques Multifunction security device safeguards SOA, streamlines company's infrastructure Safend expands data leakage prevention product to plug more gaps How to prevent memory dump attacks Database activity monitoring lacks security lift Report: Firms avoid encrypting backup tapes, databases Cryptography for the rest of us Recent breaches show data theft prevention basics lacking Unpatched vulnerability discovered in Microsoft SQL Server How to use Excel for security log data analysis SQL injection continues to trouble firms, lead to breaches Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Metasploit Project acquired by vulnerability management firm Rapid7 Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary