Microsoft Releases Security Advisory For IIS Flaw
The security flaw, which affects numerous versions of Microsoft IIS, occurs in the handling of HTTP requests. An attacker could exploit the flaw by creating a malicious anonymous HTTP request to gain unauthorized access to a Web server in order to view or steal personally identifying and financial information as well as other sensitive data.
Eric Schultze, chief technology officer for Shavlik Technologies, said that the IIS flaw allows a hacker controlling an anonymous user account to access certain Web server files while prohibiting access from other authorized accounts contained in the access control list.
"If [IT administrators] were sloppy in setting up the access control list, you could leverage this flaw to give you access to read everything on the system," he said.
A worst-case scenario would enable a hacker to access user names and passwords for other accounts on the server, which could then be used to launch another attack that would give attackers unfettered control of the Web server.
However, the vulnerability does not by itself allow remote code execution, which mitigates the potential severity of the flaw, Schultze said.
"If this one was remote code execution, I'd be very concerned," he said. "This one allows people to read some files off the Web server, but that could be dangerous depending on what the attacker was reading."
While Microsoft maintained that there are no known attacks exploiting the vulnerability in the wild, security experts speculated that it was likely that there was some kind of malicious activity related to the flaw that ultimately prompted Microsoft to release a public security advisory.
"They issue an advisory when they think that something is going on out there," Schultze said. "But it's mitigated and it's not nearly as bad as the Web server flaws of early 2000."
Since 2000, Microsoft has issued only a handful of patches repairing IIS flaws -- one in both 2008 and 2006, respectively, and two in 2004.
While the company hasn't yet created a patch fixing the problem, workarounds include disabling the WebDAV or changing the file system ACLs to deny access to the anonymous user account. And IT administrators need to run an IIS lockdown tool and URL scanning tools, Schultze said.
Microsoft maintained in its advisory that it is working to further investigate the vulnerability. Remediation could include a patch released in Microsoft's monthly patch cycle or an out-of-band security update, depending on the severity of the vulnerability. Schultze said that it was likely Microsoft would patch the flaw during its monthly security update release.
"I'm guessing [that's] because Microsoft has not said they're seeing widespread exploitation," he said. "If we started to see big exploits coming out, if it was worse than they anticipated, then we'll see it out of band. This pales in comparison to other items."