We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Attackers exploit unpatched Microsoft IIS bug

Flaw could allow cybercriminals to launch DoS attack

Microsoft says that cyber-criminals are starting to exploit an unpatched bug in its IIS server software that was made public last week.

The flaw can be exploited to let an attacker take control of an older IIS (Internet Information Services) 5.0 server running on Windows 2000, provided the hacker has some way of creating an FTP (File Transfer Protocol) directory on the server. Attack code that exploits the bug was posted last Monday.

Other IIS users could also be hit with a denial of service (DoS) attack, thanks to a second attack, posted to the Milw0rm website on Thursday.

This new code could be used to launch a DoS attack against IIS 5.0, 5.1, 6.0 and 7.0, and could affect users running IIS on Windows XP and Windows Server 2003, Microsoft said. For the attack to work, however, the server needs to be running the FTP service, and the attacker must be able to read files on the system.

Microsoft updated its security advisory on the issue last week, saying it was starting to see "limited attacks that use this exploit code".

That generally means that only a handful of attacks have been spotted. Other security vendors contacted on Friday said they had not seen the IIS bug being used in attacks.

Microsoft will release its scheduled September security updates on Tuesday, but it is not expected to fix this bug until it has had more time to test and develop a patch. Microsoft was not notified of the bug until the attack code was made public last Monday.

"The initial vulnerability was not responsibly disclosed to Microsoft, which has led to limited, active attacks putting customers at risk," Microsoft said in a blog posting.

Microsoft didn't say whether the attacks it had seen involved installing malicious software on an IIS server or simply making it crash. The company did not respond to a request for more information on the subject.

See more:

PC security advice


IDG UK Sites

4G to get faster and cheaper with Freeview spectrum: We're in for a wait though

IDG UK Sites

Why you shouldn't buy your gadgets at launch: Wait and pick up a bargain

IDG UK Sites

Artist creates a geometric rave in a chapel for The House of St Barnabus

IDG UK Sites

Mac mini (Late 2014) 1.4 GHz review: Mac mini is sort of upgradable, but is it any good as it is?