Microsoft reports that a zero-day vulnerability in Internet Information Services is now the subject of limited attacks. Exploit code for the IIS vulnerability is known to have been circulating publicly for the past several days.Microsoft officials are reporting limited attacks targeting a zero-day
vulnerability in the FTP service in Internet Information Services.
The
IIS vulnerability warning follows the release of new exploit code that can
be used to create a DoS (denial of service) condition on Windows XP and Windows
Server 2003 without requiring Write access. Also, a new proof of concept
allowing a DoS was disclosed Sept. 2 that affects FTP 6, which shipped with
Windows Vista and Windows Server 2008.
Microsoft first issued an advisory on the bug Sept. 1, a day after exploit
code for the vulnerability was posted on Milw0rm. In addition to a DoS, if the
bug is successfully exploited it can allow remotely authenticated users to
execute arbitrary code via a crafted NLST command that uses wildcards.
"An attacker with access to FTP Service could use this vulnerability to
cause a stack-based overrun that could allow execution of arbitrary code in the
context of the LocalSystem account on systems running IIS 5.0, or denial of
service on affected systems running IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0,"
Microsoft warned. "In configurations of FTP Service where anonymous
authentication is allowed, the attacker need not be authenticated for
exploitation to occur."
Microsoft stated Aug. 31 that a patch for the vulnerability is on the way.
In the meantime, information on mitigations
and workarounds has been made available. Microsoft advised administrators
to modify NTFS (NT File System) permissions to disallow directory creation by
FTP users and to disallow FTP write access to untrusted anonymous users. Users
can also upgrade to FTP Service 7.5.
A fix for the vulnerability is not expected to be included
in the Sept.
8 Patch Tuesday release.