Monday, August 31, 2009

New Microsoft IIS Zero Day Flaw

Microsoft's concept of secure computing is a lot different than mine. Not that anyone asked, but, c'mon man!

The latest flaw happens to be in the FTP module in various versions of IIS, including 5 and 6, as noted in the Full Disclosure mailing list report. The vulnerability could allow attackers to obtain system-level privileges, not ideal on a web instance.

Of course, there's no patch. Will this be another incident where we later find out that Microsoft has known of the flaw for a year and sat on their hands? I sure hope not.

Based on the snippets of exploit code floating around, at the very least I would make sure that you don't allow anonymous access via FTP - configure your setup to grant access only to trusted users.

You can read all about it at milw0rm, or at US-CERT, although the latter doesn't have a lot of info. Stay tuned.

Image via Infosecurity.us

Updated 9/3/09 9:30 PM - Microsoft has released Security Advisory 975191 for the vulnerability in the FTP service when running IIS 5.0, 5.1, 6.0, and connected to the Internet. That last part is a wake-up call.

Of course, Redmond needs to do a quick tap dance and point out that the vulnerability was "not responsibly disclosed to Microsoft and may put customers at risk."

I don't have enough fingers and toes to count the number of times security researchers have notified Microsoft before going public, only to see months (or years) go by before a fix was issued. Usually, it's the availability of exploit code that finally drives Microsoft's response.

So thanks for the lecture, guys. Now go fix the damn problem.


No comments:

Post a Comment

Please tell me what you think.