Monday, December 28, 2009

Microsoft Comments on IIS Vulnerability

Security blogs and websites have been reporting a previously unknown vulnerability in Microsoft IIS that could lead to remote code execution.

From The Register:

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension ".asp." By appending ";.jpg" or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

Microsoft has responded via their Microsoft Security Response Center blog in very carefully crafted language that essentially notes they are still investigating this "claim", that they aren't aware of any "active attacks", and that the only systems at risk are in non-default, unsafe configurations that fail to follow Redmond's best-practice guidelines. There's the usual boilerplate language where Microsoft whines that the existence of the flaw was not "responsibly disclosed," which means the researcher didn't call Redmond with the details and give Microsoft coders a year to sit on the vulnerability before doing something about it.

Since it's likely that not every web server admin is following Microsoft's guidelines, and fewer still are security experts, odds are good that the number of sites vulnerable to exploit is large, and the clock is ticking on the bad guys launching attacks configured with the appended file suffix.

If you're not following the best practices outlined in Microsoft's blog posting, you should reexamine your web configs and begin testing in advance of any forthcoming patch. Running unsafe configurations is asking for trouble, and even if Microsoft releases a fix for this particular flaw, your web presence remains at risk until it's hardened.

No comments:

Post a Comment

Please tell me what you think.