Home » Headline, Technology
Microsoft IIS ASP Multiple Extensions Security Bypass
A flaw in Microsoft Internet Information Services (IIS) was discovered shortly before the holiday weekend, and after a few days of nothing from Redmond, the software giant has issued an alert that mostly downplays the problem.
Researcher Soroush Dalili published information on the vulnerability [PDF Here], which centers on how IIS parses filenames that have a semi-colon or colon in them. For example, “malicious.asp;.jpg” is executed as an ASP file on the server Dalili explained in the report. According to Dalili, 70-precent of the secure file uploaders tested last summer were bypassed using this vulnerability.
Secunia confirmed the vulnerability, on IIS v6, and Dalili reports that IIS v7 has not been tested, and IIS v7.5 is not vulnerable. In addition, in the report from Dalili, the severity is listed as high as the attacker can bypass file extension protections. (Secunia lists the vulnerability as less critical.)
Comments from SANS over the weekend agreed with the severity assessment, noting that the problem is “going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network…”
However, Microsoft downplayed the assessments and news surrounding the vulnerability in a statement issued on Sunday. “We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable,” said Jerry Bryant on the MSRC blog.
“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this.”
Microsoft referenced several best practices guides for mitigating the issues, but only said that a patch for the vulnerability would be issued if needed once the investigation concludes.
[...] Windows Phone 7, is very heavily biased against the game or entertainment sector. However, every Windows Phone Series 7 phone will come with special buttons for Bing to provide one-click access to search from anywhere [...]
Leave your response!