Microsoft Eschews Patch, Gives Exploit Code for IIS 5.0 Bug

Updated: Microsoft says the vulnerability is actually a feature but urges customers to upgrade to a later version of Internet Information Server.

Saying that an Internet Information Server exploit is due to a feature, not a flaw, Microsoft has published exploit code for the flaw but no workaround or patch. (Microsoft has removed the exploit code since this story first posted, saying that it was posted inadvertently.)

The exploit, which was discovered on Dec. 15, 2006, and made public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.

At the very least, this leaves IIS 5.x users vulnerable to data interception. And while the exploit hasnt been used to take over systems to date, that could well change, according to Swa Frantzen of the Internet Storm Center.

The ability to execute code is "unexplored, but hinted about," Frantzen wrote in a blog post on SANS Internet Storm Center security alert site.

The ISC has tracked public exploits that apparently focus on leaking protected information.

According to Microsoft, which has written up the issue in its Knowledge Base article 328832, hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.

Microsoft "strongly [recommends] that all users upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security," the company wrote in its KB article.

Microsoft is currently shipping IIS 6.0 of the Internet Information Services Server for Windows Server 2003. Microsoft is up to IIS 7.0 for Windows Vista and IIS 5.1 for Windows XP Professional.

/zimages/1/28571.gifWhat are the security issues with Microsofts "Surface"? Click here to read more.

Yet, in spite of urging upgrading in order to gain improved security, Microsoft is treating the bug as a nonissue, providing no workaround nor indications that it will patch versions 5.0 and 5.1. "This behavior is by design," the KB article asserts.

Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit—a response that is "a bit atypical," according to Frantzen. "Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around," Frantzen wrote.

As it turns out, Microsoft told eWEEK on June 5, the publishing of exploit code on the KB article was a goof. "In working with the researcher to develop the KB article to better educate customers, we inadvertently included sample steps the researcher provided to us to highlight the risks of using the feature incorrectly that could be misused," a spokesperson said. "Once we learned of this issue, we immediately removed the information. … We are currently working to update the KB article to provide customers with the appropriate level of information to help protect themselves from this issue."

The issue is creaky with age, at any rate: Microsoft originally published Knowledge Base article 328832 in 2002 because a researcher approached the company to express concern about the implications of people misusing the IIS hit-highlighting feature.

The company still wont commit to a patch. The only defensive information Microsoft gives is to urge users to upgrade to 6.0—an upgrade thats neither free nor easy, Frantzen pointed out. He provided these possible workarounds:

  • If you dont use the Web hits functionality, a simple workaround would be to remove the script mapping for .htw files. Without a script mapping, IIS should treat the file as static content.
  • Try to use application-level firewalls (filters). If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.
  • URLScan, a URL filter by Microsoft can be used to stop access to .htw files and is reported by some SANS-ISC readers as being effective.
  • Manage rights on the confidential files or directories themselves.
  • Upgrade to Apache or another Web server, with or without a (cross) upgrade of the OS.
  • Scramble an upgrade to Windows 2003, potentially on more potent hardware.

Frantzen advised IIS 5.x users that failing to find "null.htw" in a document root directory doesnt mean much—the exploit doesnt need the file.

Editors Note: This story was updated to include input from Microsoft.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.