123ArticleOnline Logo
Welcome to 123ArticleOnline.com!
ALL >> System-Network-Administration >> View Article

Microsoft Eschews Patch, Gives Exploit Code For Iis 5.0 Bug

Profile Picture
By Author: yvonne
Total Articles: 484
Comment this article
Facebook ShareTwitter ShareGoogle+ ShareTwitter Share

Saying that an Internet Information Server exploit is due to a feature, not a flaw, Microsoft has published exploit code for the flaw but no workaround or patch.
The exploit, which was discovered on Dec. 15, 2006, and made a Exams public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.
At the very least, this leaves IIS 5.x users vulnerable to data interception. And while the exploit hasn't been used to take over systems to date, that could well change, according to Swa Frantzen of the Internet Storm Center.
The ability to execute code is "unexplored, but hinted about," Frantzen wrote in a blog post on SANS' Internet Storm Center security alert site.
The ISC has tracked public exploits that apparently focus on leaking protected information.
According to Microsoft, which has written up the issue in its Knowledge Base article 328832, hit-highlighting ...
... with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.
Microsoft "strongly [recommends] that all users upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security," the company wrote in its KB article.
Microsoft is currently shipping IIS 6.0 of the Internet Information Services Server for Windows Server 2003. Microsoft is up to IIS 7.0 for Windows Vista and IIS 5.1 for MCITP Enterprise Administrator Windows XP Professional.
What are the security issues with Microsoft's "Surface"?
Yet, in spite of urging upgrading in order to gain improved security, Microsoft is treating the bug as a nonissue, providing no workaround nor indications that it will patch versions 5.0 and 5.1. "This behavior is by design," the KB article asserts.
Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit”a response that is "a bit atypical," according to Frantzen. "Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around," Frantzen wrote.
The only defensive information Microsoft gives is to urge users to upgrade to 6.0”an upgrade that's neither free nor easy, Frantzen pointed out. He provided these possible workarounds:
If you don't use the Web hits functionality, a simple workaround would be to remove the script mapping for .htw files. Without a script mapping, IIS should treat the file as static content.
Try to use application-level firewalls (filters). If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.
URLScan, a URL filter by Microsoft can be used to stop access to .htw files and is reported by some SANS-ISC readers as being effective.
Manage rights on the confidential files or directories themselves.
Upgrade to Apache or another Web server, with or without a (cross) upgrade of the OS.
Scramble an upgrade to Windows 2003, potentially on more potent hardware.
Frantzen advised IIS 5.x mcsa users that failing to find "null.htw" in a document root directory doesn't mean much”the exploit doesn't need the file.
Microsoft hadn't delivered a statement by the time this story posted.

Total Views: 230Word Count: 557See All articles From Author

Add Comment

System/Network Administration Articles

1. Features & Specifications Of Top Gaming Tablets In 2021
Author: Elisa Wilson

2. Cloud Computing….?
Author: Dr. L. Maria Michael Visuwasam

3. Fix Bigpond Email Issues Using Bigpond Email Support
Author: Bigpond Webmail

4. Google Plans To Achieve Private & Cookie-less Data Collection
Author: Elisa Wilson

5. How To Switch To Duckduckgo Private Engine
Author: Elisa Wilson

6. A Quick Guide For Cyber Security Awareness Training For Employees
Author: ITUNeed

7. Scientists Develop A Gene Therapyfor Rett Syndrome
Author: Elisa Wilson

8. Fix Malware - Professional Malware Removal Services
Author: Fix Malware

9. The Computer Is Locking Automatically: Here Are The Fixes
Author: Elisa Wilson

10. What Are The System Specifications Of Mcafee Move Antivirus?
Author: Elisa Wilson

11. Contrast Between Norton 360 And Norton Security 2021
Author: Elisa Wilson

12. What Are Questions It Business Owner Should Ask Before Hiring It Consultant?
Author: tech gofer

13. What Are The Benefits Of Having A Managed It Services On The Gold Coast
Author: Netlogyx

14. What Are The Benefits Of Hiring Professionals For Audio Visual Installation In Dublin?
Author: Philip Donoghue

15. Get Paid As Soon As Possible With Invoice Billing Software
Author: Ronny Jones

Login To Account
Login Email:
Password:
Forgot Password?
New User?
Sign Up Newsletter
Email Address: