All five are classified as remote code execution vulnerabilities in Microsoft Windows. The bulletins cover various editions of the operating system, ranging from Windows 2000 to Windows Server 2008.
Though Microsoft offered few details regarding the bulletins, the company did say a fix for the IIS (Internet Information Services) FTP service vulnerability made public Aug. 31 is not included in the mix. The IIS bug is a buffer overflow vulnerability in the FTP server in IIS 5.0 and 6.0 that allows remotely authenticated users to execute arbitrary code via a crafted NLST command that uses wildcards.
Exploit code for the IIS vulnerability was posted to the milw0rm site Aug. 31, apparently catching Microsoft off-guard. Though Microsoft officials have said they are unaware of any attacks targeting the vulnerability, they stated that work on a patch is under way.
“As noted in an earlier blog post, we have spun up our SSIRP (Software Security Incident Response Process) process to address this issue and our teams are working hard to produce an update,” blogged Jerry Bryant of Microsoft’s Security Response Center. “Please keep an eye on the advisory for more information and, if you are not already, please subscribe to our comprehensive alerts to receive updates by e-mail.”
In the meantime, information on mitigations and workarounds has been made available. Microsoft advised administrators to modify NTFS (NT File System) permissions to disallow directory creation by FTP users and to disallow FTP write access to untrusted anonymous users.