Microsoft Warns of 10 IIS Flaws

In a move of virtually unprecedented scope, Microsoft Corp. on Wednesday released a bulletin warning of 10 new security vulnerabilities in several versions of its IIS Web server, several of which could give an attacker total control over a vulnerable system.

The vulnerabilities affect Internet Information Server 4.0, 5.0 and 5.1 in varying degrees. A cumulative patch is available for all of the new flaws here.

The most serious flaws are five separate buffer overruns in various parts of the code. There are two overruns in the data transfer mechanism in the Active Server Pages code, each of which could be exploited by overrunning the systems heap memory. This attack would either crash the IIS service or allow the attacker to run whatever code he chooses on servers running IIS 4.0.

Default installations of IIS 5.0 and 5.1 would give the attacker a lower set of privileges, the Microsoft bulletin said.

There are three other buffer overruns as well, one affecting the processing of HTTP headers; one resulting from an improper safety check during server-side includes; and another affecting the HTR ISAPI extension in IIS 4.0 and 5.0.

This bulletin is the latest in a series of fixes for the various versions of IIS, which has been much maligned in the last year. It was the target of choice of both the infamous Code Red worm and the Nimda worm, and its spate of security problems, in part, led to the development of Microsofts current Trustworthy Computing initiative.

Microsoft officials acknowledge IIS spotty record, but contend that buffer overruns—the most common of security vulnerabilities–are an industrywide problem, and one that the company is trying to root out.

“Buffer overruns are frequently sought after vulnerabilities by people doing security research and people who want to attack systems,” said Scott Culp, manager of the Microsoft Security Response Center in Redmond, Wash. “Were trying to get better about eliminating them in our code. When theyre found, theyre frequently serious.”

The overruns described in this latest bulletin have more serious consequences for systems running IIS 4.0, Culp said, because later versions of the product have improved security models that prevent the flaws from granting attackers system-level privileges.

IIS 4.0 only installs as part of the Windows NT 4.0 Option Pack. IIS 5.0 installs as part of Windows 2000 and runs by default on Windows 2000 Server, but must be turned on manually on workstations running that operating system, Culp said. And IIS 5.1 is only installed as part of Windows XP Professional.

In addition to the buffer overruns, the new bulletin also warns of two denial-of-service vulnerabilities and three cross-site scripting problems in IIS.

Related stories:

• Microsoft Tool Scans for Flaws, Missing Patches
• Trusting in Microsoft
• Microsoft Takes Security Defense