Microsoft Warns IIS Vulnerability Is Under AttackSeptember 5, 2009 – 12:21 PM
Microsoft officials are reporting limited attacks targeting a zero-day vulnerability in the FTP service in Internet Information Services.
The IIS vulnerability warning follows the release of new exploit code that can be used to create a DoS (denial of service) condition on Windows XP and Windows Server 2003 without requiring Write access. Also, a new proof of concept allowing a DoS was disclosed Sept. 2 that affects FTP 6, which shipped with Windows Vista and Windows Server 2008.
Microsoft first issued an advisory on the bug Sept. 1, a day after exploit code for the vulnerability was posted on Milw0rm. In addition to a DoS, if the bug is successfully exploited it can allow remotely authenticated users to execute arbitrary code via a crafted NLST command that uses wildcards.
“An attacker with access to FTP Service could use this vulnerability to cause a stack-based overrun that could allow execution of arbitrary code in the context of the LocalSystem account on systems running IIS 5.0, or denial of service on affected systems running IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0,” Microsoft warned. “In configurations of FTP Service where anonymous authentication is allowed, the attacker need not be authenticated for exploitation to occur.”