Microsoft IIS Security Bug Leaves Web Servers Vulnerable

Reports of a zero-day vulnerability affecting Microsoft Internet Information Services surfaced on the Web Dec. 24. Microsoft says it is investigating the matter, and has found so far that only certain configurations of IIS are vulnerable to attack.

Microsoft is investigating reports of a new vulnerability affecting Microsoft Internet Information Services that could be used to execute malicious code on vulnerable Web servers.

Details of the vulnerability came out Dec. 25 when security researcher Soroush Dalili posted information about the bug on his Website. According to security company Secunia, the vulnerability is caused by the Web server "incorrectly executing e.g. ASP [Active Server Pages] code included in a file having multiple extensions separated by ';', only one internal extension being equal to '.asp' (e.g. 'file.asp;.jpg'). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types."

In his write-up of the issue, Dalili explained, "IIS can execute any extension as an Active Server Page ... Many file uploaders protect the system by checking only the last section of the file name as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server."

Though Dalili characterized the vulnerability as highly critical, others were not quite as alarmed. Secunia rated it "less critical," and Microsoft Security Program Manager Jerry Bryant wrote in a Microsoft Security Response Center blog post Dec. 27 that Microsoft so far has found that the issue only affects IIS in a non-default, insecure setting.

"An attacker would have to be authenticated and have write access to a directory on the Web server with execute permissions, which does not align with best practices or guidance Microsoft provides for secure server configuration," Bryant wrote. "Customers using out-of-the-box configurations and who follow security best practices are at reduced risk of being impacted by issues like this."

Information about IIS security best practices can be found here.

This is not the first vulnerability to be found in IIS in 2009. In October, Microsoft issued patches to cover two FTP vulnerabilities in IIS after proof-of-concept code made its way on to the Internet.

As of Dec. 27, Microsoft had not seen any active attacks targeting the vulnerability, but Bryant stated that the investigation will continue.

"Once we're done investigating, we will take appropriate action to help protect customers," he wrote. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."