News

Microsoft Issues Another Cumulative IIS Patch

• By Stephen Swoyer
• 08/16/2001

The beleaguered Internet Information Server/Services software has been the source of negative publicity for Microsoft lately due to its role as the vector for the Code Red worm. The new security rollup includes the fixes for Code Red, but was created primarily to address other vulnerabilities.

It is also the second time this year that Microsoft has rolled security fixes together for IIS. Redmond issued a similar security roundup (MS01-26) in May. A security rollup was also released for Windows NT 4.0 a few weeks ago in lieu of the cancelled Service Pack 7.

In its bulletin announcing the new IIS security patch, Microsoft confirmed the existence of five IIS vulnerabilities which can be exploited by means of denial-of-service (DoS), buffer overrun or privilege-elevation attacks.

A message from Russ Cooper, moderator of the NTBugTraq Mailing List, reflected a "here we go again" attitude about the state of IIS security.

"I understand that you've probably just finished ensuring that all of your IIS servers have had MS01-033 [the Code Red patch] applied. Maybe you even went so far as to apply MS01-026 (the last IIS cumulative patch)," Cooper wrote.

"I'm loath to ask you to now go back to all of these machines and apply yet another patch, however...there are several circumstances that may apply to your systems that might make it necessary for you to get this new Security Bulletin patch applied quickly," Cooper wrote. Users should consider the patch immediately if they run Web hosting environments, allow IIS authoring or do URL redirects from an IIS 4.0 box, according to Cooper.

Possible attack scenarios include:

A DoS attack that exploits a flaw in IIS 4.0's Web site redirection capabilities and which can cause an IIS server to stop responding to HTTP requests. According to Microsoft, the notorious Code Red worm generates traffic that in some cases is capable of exploiting this vulnerability.

In the aftermath of the Code Red worm, a number of administrators posted messages to Microsoft's IIS newsgroup (microsoft.public.inetserver.iis ) in which they complained that even though their IIS 4.0 servers weren't supposed to be susceptible to Code Red, they were nonetheless crashing as a result of the extremely high network traffic generated by other infected IIS 5.0 servers.

A DoS attack that exploits a flaw in Microsoft's implementation of Web Distributed Authoring and Versioning (WebDAV), a set of enhancements to HTTP that facilitates Web-based document management capabilities.

According to Microsoft, its WebDAV implementation doesn't correctly process a particular type of malformed request. If an attacker submits a malformed request of this kind to an IIS 5.0 Web server, she could cause IIS 5.0 services to crash. Microsoft says that a DoS interruption would only be temporary, however, because IIS 5.0 services automatically restart in the event of a failure.

A DoS attack that exploits a vulnerability associated with the way in which IIS 5.0 interprets Multipurpose Internet Mail Extensions (MIME) content.

Microsoft says that when an attacker places content containing a (particular kind of an) invalid MIME header onto a server and subsequently requests it, a spurious entry is created in the Web site's File Type table. DoS occurs because IIS 5.0 is unable to serve any additional content until the spurious File Type table entry is removed.

A buffer overrun attack that exploits a vulnerability associated with the code that IIS uses to process server-side include (SSI) directives.

According to Microsoft, if an attacker can place a file directly onto a server, she can also include a malformed SSI directive that - once it's processed - will enable her to execute code of her choice on a compromised Windows NT 4.0 or Windows 2000 server in Local System context. Microsoft says that an attacker doesn't actually have to request a file which contains a malformed SSI directive to perpetrate an exploit of this type: Any request for such a file, initiated by an attacker or by an unsuspecting user, could trigger the exploit.

Local system context is the highest security context on a Windows NT or Windows 2000 system. An attacker who successfully exploited a vulnerability of this type would have complete control over a compromised system.

A privilege elevation vulnerability that results because of a flaw in the way that IIS determines whether a process should in-process or out-of-process. Microsoft says that IIS 5.0 uses a table which lists the system files that should always run in-process. Because this table supports both absolute addressing (in which a specific path to an executable is specified) as well as relative addressing (in which only the name of an executable is specified), however, it's possible for an attacker to upload a malicious program, rename it after the fashion of an in-process executable, and execute it with System Level privileges on a server.

An attacker who perpetrates an exploit of this type could take complete control of a compromised system.

The software giant says that by default, unprivileged users don't have the ability to install or upload content to a server, so only privileged users are capable of successfully exploiting the last three vulnerabilities.

Although the latest batch of IIS patches is cumulative, at least four IIS 4.0 vulnerabilities that require administrative action rather than software patching aren't included in the latest hotfix roll-up. Microsoft also says that fixes for non-IIS-related vulnerabilities - including those associated with Front Page Server Extensions and the Index Server/Indexing Service - aren't integrated into the latest hotfix roll-up, either.

But the software giant confirms that the new hotfix roll-ups incorporate support for the Indexing Service/Index Server vulnerability that served as the basis for the recent spate of Code Red attacks.

There are two versions of the new patch. A version for Internet Information Services 5.0 includes all security patches issued so far for IIS 5.0, which is part of Windows 2000. Another version for Internet Information Server 4.0 rolls together all the security fixes for IIS 4.0 since Windows NT 4.0 Service Pack 5.