A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won't issue a patch even though up to 600,000 servers could be running the unsupported software.
The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF' header in a PROPFIND request.
The researchers said it's not a theoretical risk as the flaw was exploited in the wild in July or August 2016. It was disclosed to the public this week.
“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro.
He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).
The affected versions of the web server software have not been supported since 2015 – Microsoft said it was unlikely to patch the affected code.
"This issue does not affect currently supported versions," said a Microsoft spokesperson. "We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection."
Bisht said that while Microsoft isn't supporting and won't be patching the old OS version anymore, organisations could mitigate the risk by disabling the WebDAV service on the vulnerable IIS 6.0 installation. He added that newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability.
While an official patch from Microsoft looks unlikely to ever surface, a third-party company is offering organisations an alternative to upgrading.
In a blog post, Acros CEO Mitja Kolsek said that to help maintainers of Windows Server 2003 computers block almost inevitable attacks under these unfavourable circumstances, “we decided to provide them a free solution: a micropatch for CVE-2017-7269, which they can apply on their machines not only without rebooting, but also without even restarting Internet Information Services.”
Marco Cova, senior security researcher at Lastline, told SC Media UK that in some cases organisations are simply not aware that they have outdated systems exposed to the world.
“These may be machines that have been set up a long time ago by personnel who have long moved on. Then, these machines sit around, completely neglected, waiting for someone to discover them. Keeping inventories up to date, decommissioning unused systems, and restricting access to outdated ones that for whatever reason cannot be kept up to date are all good practices,” he said.
Adrian Liviu Arsene, senior e-threat analyst at Bitdefender, told SC that running legacy infrastructures is always risky, “But there may be instances where dropping them and migrating to newer infrastructures would require far greater costs. However, this is usually a decision that individual companies are tasked with taking.”