Microsoft: No Hole in IIS 6

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft officials say that a hacker who claims to have found a critical zero-day hole in an older version of Internet Information Services (IIS), the company's Web server, is wrong.

"We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS," Christopher Budd, a security program manager in the Microsoft (NASDAQ: MSFT) Security Response Center (MSRC), said in a blog post Tuesday.

The claims came in a blog post on Christmas Day by hacker Soroush Dalili. In his post, Dalili said that IIS 6, the version of Microsoft's Web server that came with Windows Server 2003, is vulnerable to attacks based on sending the server a file that uses semi-colons in the file name to trick IIS into thinking the file has one file extension when it actually has another.

"IIS can execute any extension as an Active Server Page or any other executable extension. For instance 'malicious.asp;.jpg' is executed as an ASP file on the server," Dalili said in a report on his blog (as PDF).

Given the popularity of IIS and the server's longevity, this would not be the first time that Microsoft has hurriedly patched a recently discovered zero-day in IIS. In September, the company warned customers of a zero-day and posted a Security Advisory, including a workaround, as soon as it came to light.

Although a month can seem like a long time in terms of vulnerabilities, Microsoft patched that IIS hole with October's "Patch Tuesday" bug fixes.

Microsoft also fixed a zero-day bug in older versions of IIS last spring. Outlining the zero-day attack scenario

However, sometimes what hackers think of as a zero-day may only be dangerous if the user jumps through enough hoops or makes some serious error or multiple errors. That, claims Microsoft, is the case this time around.

In this case, Microsoft claims that the attack scenario outlined by Dalili is unlikely unless an administrator goes against IIS 6's default configuration. One of the changes that would set up a possible attack is to allow users to upload and execute files, which is discouraged as a matter of course.

"There is a functionality issue here, but there is no security issue unless you already had a poorly configured server to begin with," said a post on a Microsoft blog dubbed Nazim's IIS Security Blog Tuesday.

Apparently, many in the security research agree with Microsoft's analysis.

Security researcher Secunia, rated the latest zero day as "less critical," the second-lowest ranking on the company's five-tier severity scale. That clashes with Dalili's claims that the zero day is "highly critical for Web applications."

Likewise for Symantec's SecurityFocus.

"This [bug report] is being retired. For an exploit to succeed, IIS must be configured in a nondefault way and contrary to the vendor's recommended best practices," said a posting on SecurityFocus Tuesday.

E-mails seeking comment from Dalili and Microsoft were not returned by press time.  

Stuart Johnston is a contributing writer to InternetNews.com, based in Bellevue, Wash.