Update:
Microsoft downplays semi-colon bug in IIS.(IMG:J.Anderson)
Microsoft has said that the investigation is concluded. "What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server," says a statement on the MSRC blog.
"The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack. However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue."
Indeed. Well, while this isn't much of an update, it would appear Microsoft considers this a closed case. More information is here.
Original Article:
A flaw in Microsoft Internet Information Services (IIS) was discovered shortly before the holiday weekend, and after a few days of nothing from Redmond, the software giant has issued an alert that mostly downplays the problem.
Researcher Soroush Dalili published information on the vulnerability [PDF Here], which centers on how IIS parses filenames that have a semi-colon or colon in them. For example, “malicious.asp;.jpg” is executed as an ASP file on the server Dalili explained in the report. According to Dalili, 70-precent of the secure file uploaders tested last summer were bypassed using this vulnerability.
Secunia confirmed the vulnerability, on IIS v6, and Dalili reports that IIS v7 has not been tested, and IIS v7.5 is not vulnerable. In addition, in the report from Dalili, the severity is listed as high as the attacker can bypass file extension protections. (Secunia lists the vulnerability as less critical.)
Comments from SANS over the weekend agreed with the severity assessment, noting that the problem is “going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network...”
However, Microsoft downplayed the assessments and news surrounding the vulnerability in a statement issued on Sunday. “We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable,” said Jerry Bryant on the MSRC blog.
“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this.”
Microsoft referenced several best practices guides for mitigating the issues, but only said that a patch for the vulnerability would be issued if needed once the investigation concludes.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story