Microsoft Confirms IIS 5.0, 5.1 and 6.0 0-Day Vulnerability

Microsoft has offered official confirmation of a new zero-day vulnerability impacting various releases of Internet Information Services (IIS). The security flaw resides in the FTP service, explained Alan Wallace, senior communications manager for the security response communications team at Microsoft, noting that in the eventuality of a successful attack, affected systems are at risk of remote code execution. However, Wallace revealed that Microsoft had not detected any active attacks using exploits designed to take advantage of this specific IIS 0-day vulnerability.

This despite the fact that proof-of-concept and detailed exploit code have been published and are available in the wild. According to the Redmond-based company, customers running the File Transfer Protocol (FTP) Service in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 are at risk of potential exploits. Of course that Windows 2000, Windows XP, and Windows Server 2003 are also affected.

“Upon learning of the vulnerability, Microsoft activated its Software Security Incident Response Process (SSIRP) and continues to investigate the issue. Microsoft is currently working to develop a security update for this issue to address this vulnerability and will release it once it has reached an appropriate level of quality for broad distribution. In the meantime, Security Advisory 975191 contains guidance that customers can deploy to help protect themselves. Please see the advisory for a list of all affected products. Microsoft recommends customers review and implement the workarounds outlined in the Security Advisory,” Wallace advised.

Indeed, customers running IIS versions 5.0, 5.1, and 6.0 can turn to Microsoft Security Advisory (975191) on guidance on how to mitigate potential exploits targeting the FTP vulnerability until the software giant makes a patch available. Depending on the severity of the flaw and the level of risk to customers, the software giant could provide an out-of-band security update, or deliver a patch with its monthly patch releases.

“The advisory lists several options to protect your servers from this vulnerability until a fully-tested security update is available. The end result of the workarounds is to prevent untrusted users from having write access to the FTP service. The options presented in the advisory include: turn off the FTP service if you do not need it; prevent creation of new directories using NTFS ACLs; prevent anonymous users from writing via IIS settings,” explained Bruce Dang and Jonathan Ness, MSRC Engineering team.