Microsoft probes critical IIS Web server bug
"Microsoft is investigating new public claims of a possible vulnerability in IIS 5.o and IIS 6.0 File Transfer Protocol (FTP)," a company spokesman said today. "We will take steps to determine how customers can protect themselves should we confirm the vulnerability." Microsoft added that it had not yet seen any evidence of actual in-the-wild attacks, but as is its usual practice, hinted that it might create a patch for the problem.
It offered no defensive measures Web server administrators could take in lieu of a fix, a departure from past investigations, when Microsoft has offered not only instructions to customers, but also delivered tools that helped users automate the workaround.
The disclosure of exploit code triggered warnings from a few security firms, as well as from the U.S. Computer Emergency Response Team (US-CERT), which urged administrators to disable FTP (file transfer protocol) write access in IIS.
According to a US-CERT advisory, the FTP server included in IIS fails to properly parse specially-crafted directory names. Hackers can issue a NLST command (NAME LIST) on a specially-named directory to force a stack buffer overflow. "[This] may allow a remote attacker to execute arbitrary code on a vulnerable system," said US-CERT.
Danish bug tracking vendor Secunia ranked the vulnerability "moderately critical," the third-highest threat level in its five-ste