We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft prepares patch for IIS bug

IIS 5 and IIS 6 are affected by new attack

One day after a security researcher published attack code for a flaw in Microsoft's IIS server software, Microsoft said it plans to patch the issue.

Microsoft also released a security advisory describing the problem and detailing technical workarounds that system administrators can implement while they're waiting for a patch. "We’re currently investigating the issue... and working to develop a security update," Microsoft said in a note on its website. "This update will be released once it reaches an appropriate level of quality for broad distribution."

Microsoft's next set of security patches is due on September 8. It's not clear if the company will be able to develop and test its IIS (Internet Information Services) patch in time for that update, however.

The attack code was published on Monday by Nikolaos Rangos, who said he did not notify the software company of the issue ahead of time. Rangos's attack is considered to be very reliable on IIS 5 systems and could be used to run unauthorised software on the server.

The flaw lies in the FTP (File Transfer Protocol) software used by IIS, and is considered to be a critical issue for users of the older IIS 5 product. IIS 6 users are also affected, but they are at reduced risk because of the way IIS 6 was compiled, Microsoft said in its advisory. "This does not remove the vulnerability but does make exploitation of the vulnerability more difficult."

Users who are using the more-recent IIS 7 or who are not running the FTP service are not affected, Microsoft said.

Even for IIS 5 and 6 users, there's another mitigating factor: "Affected systems are not vulnerable unless untrusted FTP users are granted write access. By default, FTP users are not granted write access," Microsoft said.

Although nobody has yet reported real-world attacks using Rangos's code, security vendor Symantec said on Tuesday that "many systems will be vulnerable across the internet and that in-the-wild attacks will occur".

Another security company, Secunia, rates the flaw 'moderately critical'.

Last May, web analytics firm Netcraft counted 2.8 million sites still using the IIS 5 software, but it's not clear how many of them would have the FTP set-up that would make them vulnerable to this attack.

See more:

PC security advice

IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV setup advice: Apple TV hacks to help you create the ultimate Apple TV hub in your home