Monday, August 31, 2009
New Microsoft IIS Zero Day Flaw
The latest flaw happens to be in the FTP module in various versions of IIS, including 5 and 6, as noted in the Full Disclosure mailing list report. The vulnerability could allow attackers to obtain system-level privileges, not ideal on a web instance.
Of course, there's no patch. Will this be another incident where we later find out that Microsoft has known of the flaw for a year and sat on their hands? I sure hope not.
Based on the snippets of exploit code floating around, at the very least I would make sure that you don't allow anonymous access via FTP - configure your setup to grant access only to trusted users.
You can read all about it at milw0rm, or at US-CERT, although the latter doesn't have a lot of info. Stay tuned.
Image via Infosecurity.us
Updated 9/3/09 9:30 PM - Microsoft has released Security Advisory 975191 for the vulnerability in the FTP service when running IIS 5.0, 5.1, 6.0, and connected to the Internet. That last part is a wake-up call.
Of course, Redmond needs to do a quick tap dance and point out that the vulnerability was "not responsibly disclosed to Microsoft and may put customers at risk."
I don't have enough fingers and toes to count the number of times security researchers have notified Microsoft before going public, only to see months (or years) go by before a fix was issued. Usually, it's the availability of exploit code that finally drives Microsoft's response.
So thanks for the lecture, guys. Now go fix the damn problem.