Microsoft Plugs IIS Security Holes

Microsoft acknowledges that there have been too many holes in the software for its dominant Web server, and promises to ensure that future products go out the door with safeguards to avoid another string of embarrassing problems.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Microsoft acknowledges that there have been too many holes in the software for its dominant Web server, and promises to ensure that future products go out the door with safeguards to avoid another string of embarrassing problems.

The company published a patch on June 18 to correct a serious exposure on all versions of its Internet Information Server (IIS), a workhorse for e-commerce Web sites.

"There have been too many vulnerabilities found in IIS," admitted Scott Culp, program manager at Microsofts Security Response Center.

The troubles with IIS could affect millions of Web sites. "Around half of the Internets e-commerce sites run on Microsofts IIS, and there is a potential for a great deal of economic damage," said Netcraft, a British surveyor of Web sites.

In May, hackers took control of at least 9,000 Microsoft IIS sites, according to, a site tracking Web site break-ins.

Microsoft has started using a code analysis tool, Prefix, that scrutinizes products under development for holes, which it flags for removal, Culp explained. Within a few weeks, Microsoft will offer system administrators tools "to make it easier to make sure youre running only the services you need in IIS," he added.

The vulnerability announced June 18 was on one little-used part of the system, but its a part that is installed by default unless a system administrator specifically shuts it down, Culp said. The IIS code that allows the Web server to interact with Microsofts Indexing Service contained a simple buffer overflow exposure. Code rigged remotely by an intruder could fill a memory space or buffer with more code than called for, causing the application to fail. When the server restarts, the attacker can gain control.

By closing all but the necessary components of IIS, such as the Indexing Service, many avenues into the server are "locked down," Culp said.

Over the last 13 months, the Computer Emergency Response Team Coordination Center (CERT/CC) has published six bulletins on IIS vulnerabilities, including one on May 8 about the "sadmind" worm, which takes over a Sun Microsystems Solaris server, then begins looking for and compromising Microsoft IIS servers on the same network.

However, IIS isnt the only Microsoft product plagued by vulnerabilities. Microsofts Exchange e-mail and groupware application has been the subject of recent security announcements, and both ActiveX Controls and Visual Basic for Applications scripts — both powerful tools in the hands of an intruder — have been the subject of alerts and patches. Of the last 10 alerts from the CERT team, four have concerned Microsoft products.

Microsofts Culp makes a point that 40 percent is not necessarily out of line with the percentage of Microsoft products in use on the Internet.

Of course, much attention is drawn to Microsoft because of its size. "Microsoft seems to be a common target" of publicity-hungry researchers, said Tim Belcher, chief technology officer at online security service provider Riptech. Microsoft code is combed for vulnerabilities because researchers believe they are there, and because of the reward of public attention for finding them, Belcher said.

But competitors and analysts say that Microsofts security problems wont be easy to eradicate.

When it comes to verifying that downloaded code is what you think it is, "ActiveX has had some specific concerns," said Jeff Havrilla, an Internet security analyst. That includes a lack of warning that an ActiveX control is about to do something to the computer that the owner might wish to prevent, Havrilla said.

Larry Abrahams, director of engineering for Java 2 Standard Edition at Sun, said Microsoft products and others based on C and C++ are subject to the weaknesses of those programming languages. Once an intruder gets inside a server running C programs, he or she may stage buffer overflows, access files and overwrite data.

Gary McGraw, vice president of technology at Cigital, a software security assessment firm, said that for years, Microsoft has produced software for consumers, and consumers only demand a certain amount of security. Now, Windows NT, ActiveX and other products are being used in corporate settings, "and security is more important." Microsoft will have to build more stringent security elements into its designs, not patch products afterward, McGraw said.