Microsoft (Nasdaq: MSFT) has posted a patch on its Security Advisor Web page to eliminate a significant vulnerability discovered by eEye, an independent online security firm, and reported on last week by the E-Commerce Times.
The vulnerability involves Microsoft’s Internet Information Server 4.0, “the most commonly used web server on the Internet.” According to Microsoft’s Security Bulletin MS99-019, the hole could allow either denial of service attacks against an IIS server or, under certain conditions, arbitrary code to be run on the server.
Although no related security breaches have been reported to the Redmond, Washington-based software provider, the potential still exists for hostile forces to exploit this vulnerability and assume control of Web sites, including e-commerce operations, accessing credit card information and more.
According to the original alert issued by eEye’s Digital Security Team — a week before Microsoft officially responded by posting a cursory “workaround” — the vulnerability might permit remote access to a IIS server if an attacker creates a buffer overflow in .HTR files, exploiting a capability that allow users to remotely change their password. The ISM.DLL, that processes .HTR files, could be disabled, essentially granting the unauthorized access.
Microsoft has added to that information, however, stating that .STM and .IDC files could be affected as well. IIS 4.0 customers should check their systems for ISM.DLL, SSINC.DLL or HTTPODBC.DLL files to see if they might potentially be vulnerable.
The patch, according to Microsoft, “contains a fix for the originally identified vulnerability in .HTR file processing, as well as a fix to similar vulnerabilities subsequently identified that affect .IDC and .STM files. All customers using IIS 4.0, even if installed as part of a different Microsoft product, should (download the patch),” even if they have already utilized the original “workaround.”
Subscribers to the Microsoft Product Security Notification Service have been advised on the matter. The patch and a number of related links and information are available through the company.
The hole was discovered by eEye while testing their Retina network security scanning product, a tool utilized to spot potential vulnerabilities and weaknesses. But the security firm run by eCompany LLC, an e-commerce firm, not only posted an advisory, they made the exploit code available as well.
Instead of sending thank you notes to eEye, Microsoft called the move irresponsible. As reported by ZDNet, however, some security experts feel that mere notification isn’t effective enough. eEye, along with a spate of other organizations including L0pht, believe in “full disclosure.”
“This exploit demonstrates the seriousness of the hole,” and the need to give it “the attention it deserves,” stated an eEye post on its Web site. “If our team starts hiding the facts, we’ll be no better than a software vendor that rushes insecure products to market.”