123ArticleOnline Logo
Welcome to 123ArticleOnline.com!
ALL >> System-Network-Administration >> View Article

Microsoft Eschews Patch, Gives Exploit Code For Iis 5.0 Bug

Profile Picture
By Author: yvonne
Total Articles: 484
Comment this article
Facebook ShareTwitter ShareGoogle+ ShareTwitter Share

Saying that an Internet Information Server exploit is due to a feature, not a flaw, Microsoft has published exploit code for the flaw but no workaround or patch.
The exploit, which was discovered on Dec. 15, 2006, and made a Exams public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.
At the very least, this leaves IIS 5.x users vulnerable to data interception. And while the exploit hasn't been used to take over systems to date, that could well change, according to Swa Frantzen of the Internet Storm Center.
The ability to execute code is "unexplored, but hinted about," Frantzen wrote in a blog post on SANS' Internet Storm Center security alert site.
The ISC has tracked public exploits that apparently focus on leaking protected information.
According to Microsoft, which has written up the issue in its Knowledge Base article 328832, hit-highlighting ...
... with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.
Microsoft "strongly [recommends] that all users upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security," the company wrote in its KB article.
Microsoft is currently shipping IIS 6.0 of the Internet Information Services Server for Windows Server 2003. Microsoft is up to IIS 7.0 for Windows Vista and IIS 5.1 for MCITP Enterprise Administrator Windows XP Professional.
What are the security issues with Microsoft's "Surface"?
Yet, in spite of urging upgrading in order to gain improved security, Microsoft is treating the bug as a nonissue, providing no workaround nor indications that it will patch versions 5.0 and 5.1. "This behavior is by design," the KB article asserts.
Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit”a response that is "a bit atypical," according to Frantzen. "Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around," Frantzen wrote.
The only defensive information Microsoft gives is to urge users to upgrade to 6.0”an upgrade that's neither free nor easy, Frantzen pointed out. He provided these possible workarounds:
If you don't use the Web hits functionality, a simple workaround would be to remove the script mapping for .htw files. Without a script mapping, IIS should treat the file as static content.
Try to use application-level firewalls (filters). If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.
URLScan, a URL filter by Microsoft can be used to stop access to .htw files and is reported by some SANS-ISC readers as being effective.
Manage rights on the confidential files or directories themselves.
Upgrade to Apache or another Web server, with or without a (cross) upgrade of the OS.
Scramble an upgrade to Windows 2003, potentially on more potent hardware.
Frantzen advised IIS 5.x mcsa users that failing to find "null.htw" in a document root directory doesn't mean much”the exploit doesn't need the file.
Microsoft hadn't delivered a statement by the time this story posted.

Total Views: 412Word Count: 557See All articles From Author

Add Comment

System/Network Administration Articles

1. Fiber Fused Biconical Taper Systems And Fiber Cable Cutting Machine Potential
Author: Ryan

2. Understanding Polarization Maintaining Fiber Rotation Systems And Their Applications
Author: Ryan

3. Cat6a Patch Cable: The Best Preference For Comprehensive Cabling
Author: Ryan

4. A Brief Idea About The Mtp/mpo Cables And Their Use
Author: Ryan

5. 5 Reasons Why A Smart Bus Ticketing System Is The Future Of Public Transport
Author: Limon

6. How To Implement Technology In Your Inbound Call Center?
Author: DialDesk

7. How To Choose An Enterprise Help Desk It Support Company
Author: Entrust Network Services

8. Cost-effective Network Solutions For Offices In Singapore
Author: Entrust Network Services

9. Choosing Between Uv Light And Heat Ovens For Superior Performance
Author: James

10. The Right Tools And The Right Radius Are Vital In A Fiber Optic Polishing Process
Author: James

11. Lc And Sc Connectors Explained: Which Fiber Connection Is Right For You?
Author: James

12. A Closer Look At Armored Fiber Patch Cables
Author: James

13. The Essential Guide To Fiber Connectors: Sc, Fc, Lc, And St Explained
Author: Ryan

14. Wireless Network Setup Solutions For Offices By Entrust Network
Author: Entrust Network Services

15. Pcb Manufacturing: Understanding The Burn-in Test Process
Author: Ryan

Login To Account
Login Email:
Password:
Forgot Password?
New User?
Sign Up Newsletter
Email Address: