Zero Day Risk Threatens Older Microsoft Web Servers


Microsoft issued a Security Advisory warning this week related to its Internet Information Server (IIS). The advisory notes there's a vulnerability in the way the Web server handles certain types of HTTP requests that could leave versions 5 and 6 of the servers open to serious attacks.

In fact, the U.S. Computer Readiness Team (US-CERT), a branch of the Department of Homeland Security, announced that proof-of-concept code for the security hole is already circulating on the Web. While no attacks have occurred in the wild yet, though, the fact that code for an attack is already floating around the Internet means the flaw constitutes a zero-day (define) vulnerability.

That said, in its Security Advisory, Microsoft (NASDAQ: MSFT) said that the problem is not as serious as it might have been due to default settings that protect many servers.

"Web-based Distributed Authoring and Versioning (WebDAV) is a set of HTTP extensions that allow collaborative management and editing of files collected on remote servers. The way that Microsoft IIS's implementation of WebDAV handles unicode tokens may allow authentication bypass," said a statement on US-CERT's site.

In its advisory, Microsoft pointed out that sites that are at risk are ones which have an "anonymous" user account configured on the system. By default, though, such accounts are blocked from completely exploiting the hole because the anonymous account is still constrained by the Windows file system's access control lists, or ACLs, which can keep a fraudulent user from writing to the server.

For those at risk, a successful attack would begin with IIS receiving a rigged URL to process, which enables the anonymous account to bypass authentication. Even then, many servers would not wind up completely under the control of the malicious code -- but attackers may be able to read files on the server.

Microsoft hasn't yet decided how to fix the defect, according to the advisory. In fact, IIS 7, the current version, is not at risk.

The affect on SharePoint

In the meantime, if an IIS 5 or 6 server doesn't need to support WebDAV, both Microsoft and US-CERT recommend disabling it. However, US-CERT points out that disabling WebDAV "may affect the functionality of other applications such as SharePoint."

Article courtesy of