Microsoft warns of vulnerability in internet information services

News by Dan Raywood

Microsoft has warned of a vulnerability in its internet information services (IIS) that could allow elevation of privilege.

Microsoft has warned of a vulnerability in its internet information services (IIS) that could allow elevation of privilege.


In a security advisory, it claimed that an elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.


Paul Henry, security and forensic analyst at Lumension, claimed that while Microsoft may believe that its IIS 6 web-server software issues are only limited to a data leakage issue and not necessarily a larger immediate threat, it should consider other aspects of this issue and accelerate a solution to protect the community at large.


Henry said: “The larger potential problem with the IIS 6 issue is that it has the potential for malicious remote hackers to view and upload files to the server by taking advantage of a bug in the way that Microsoft software's processes Unicode tokens do.


“Hence, it would conceivably be a trivial matter to replace trusted files on the web server with malicious files. One example of such a potential risk would be to replace trusted PDF files containing company's customer data with malicious PDF files that take advantage of recently patched Adobe PDF issues.


Meanwhile Eric Schultze, CTO of Shavlik Technologies, claimed that this is only the third vulnerability seen in IIS since October of 2004 and it has been pretty secure over the last few years.


Schultze said: “It is unclear what level of access may be granted to an attacker via this exploit as it all depends on how the web server has been configured and how the file system security has been applied to the data on the web server. In a default configuration (and I would gather most installations), this flaw might allow the attacker to read certain files on the web server, but would not allow them to write any files.


“If the attacker is unable to write any files to the web server, it's far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server.”


Schultze did offer one note of caution, as the flaw could enable attackers to read code pages on the web server, where the pages may include usernames or passwords for applications or databases controlled by the web server. Shavlik recommended people running IIS 5 or IIS 6 run the IIS Lockdown and URLScan tools from Microsoft.  Both of these tools disable WebDAV and will protect your system from this latest zero day.



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews