The Expert's View with Jeremy Kirk

Risk Management , Technology

Old Microsoft IIS Servers Vulnerable to Zero-Day Exploit Microsoft Won't Patch, But Simple Workaround Fixes It
Old Microsoft IIS Servers Vulnerable to Zero-Day Exploit

More than 60,000 servers running Microsoft's out-of-support Internet Information Services web server software may be vulnerable to a newly revealed zero-day exploit. Microsoft won't patch the software and is advising users to move to newer versions.

See Also: Ransomware: The Look at Future Trends

The exploit targets a buffer overflow within IIS 6, which shipped with Windows Server 2003. Microsoft stopped supporting the product in July 2015.

More than half a million servers running the software in question seems bad, but it would appear that only a fraction are at risk. 

"If successfully exploited, this vulnerability could lead to remote code execution," writes Virendra Bisht, a threat researcher with Trend Micro. "Sometimes, an unsuccessful attack could still lead to denial of service conditions."

Zhiniang Peng and Chen Wu, both of South China University of Technology in Guangzhou, China, publicized the vulnerability, which they say has been exploited since as early as July or August 2016. They wrote an exploit, which has been published on GitHub.

Microsoft has very long lead times and warns customers extensively before retiring products. Nevertheless, some organizations or users fail to move to newer ones, putting them at perpetual risk when vulnerabilities such as this one are disclosed.

A Slovenia-based security company, Acros Security, writes that it found 600,000 servers running IIS 6.0 across the internet using the Shodan search engine.

"Sure, some will say that everyone should have stopped using Windows Server 2003 long ago as it doesn't get security patches any more," writes ACROS CEO Mitja Kolsek. "But owners of these servers each have their own story, their own set of constraints to work within and their own budgets that they would rather spend for something other than upgrading a server that works."

Server Count

More than half a million servers running the software in question seems bad, but it would appear that only a fraction are at risk.

The exploit is dependent on an IIS 6.0 server having WebDAV enabled. WebDAV, which stands for web distributed authoring and versioning, is an extension for HTTP that describes how HTTP can copy delete and move files.

Further investigation shows that only 60,000 public-facing IIS 6.0 servers have WebDAV enabled along with a header called PROPFIND that's necessary for successful exploitation, writes an infosec researcher, Iraklis Mathiopoulos. He cautioned the figure was a rough calculation.

"It's interesting to see if Microsoft is going to make an exception and issue a hotfix for this," Mathiopoulos writes.

The Fix

Trend Micro writes that disabling WebDAV eliminates the risk from the vulnerability, which doesn't affect newer versions of IIS. Kolsek's company also wrote a micropatch for the flaw. As Kolsek was developing the patch, he actually stumbled across a very similar bug.

"This second flaw was logically identical to the first one, and could be patched with effectively the same patch code using an additional patchlet," he writes.

His surprise finding of a second bug is a warning to the wise: If you can move off IIS 6.0 to something newer, do it sooner rather than later, because other bugs may be lurking in the code.



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network