main
Report a problem

Microsoft warns of web server flaw

Daniel Fleshbourne   on 21 April 2008 - 13:27 · 14 comments & 9913 views

Advertisement (Why?)
Microsoft is investigating a newly reported flaw that could put websites at risk of attack. The company has issued an advisory on the vulnerability, which affects Windows XP Professional SP2, Windows Server 2003, Windows Vista and Windows Server 2008. The problem exists in Windows' handling of code within its Internet Information Services (IIS) and SQL Server.

If exploited, the vulnerability could allow a user to elevate access privileges to that of the LocalSystem administration tool. Microsoft warned that companies that make extensive use of user-provided code, such as site hosts, are especially vulnerable.

View: The full story @ vnunet

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Daniel Fleshbourne
User name: Daniel
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

 

Post a comment · Send to friend Comments · There are 14 additional comments
#1 XerXis on 21 Apr 2008 - 13:34
nice ... hope they patch it quick
(1 reply) #2 KevinRGood on 21 Apr 2008 - 13:36
It's a good thing Microsoft delay WinXP SP3. They can slap this patch on that sucker!
#2.1 nekrosoft13 on 22 Apr 2008 - 02:55
no they won't, SP3 is finished (RTM) once its finished they won't add anything to it
#3 MioTheGreat on 21 Apr 2008 - 13:43
(nm)
(6 replies) #4 +Black.Mac on 21 Apr 2008 - 13:55
This is the 1st hole I've heard for IIS in a long time.
#4.1 vetmarkjensen on 21 Apr 2008 - 14:12
IIS has been pretty solid for several years. And this item, while serious, is locally exploitable only, so if you have trusted admins/maintainers with good passwords it isn't as serious as something remotely exploitable by any anonymous user.
#4.2 Antaris on 21 Apr 2008 - 16:11
Out of all the Microsoft products, it's IIS that I've always felt was the strong boy, hard as nails, robocop bit of sortware, and this is the first flaw I have heard of in AGES.
#4.3 Axon on 21 Apr 2008 - 16:46
Couldn't agree more. My experience with IIS is 100% rock solid, I'd recommend it to all corporate customers.
#4.4 GP007 on 21 Apr 2008 - 17:40
This looks like it's the first IIS 7.0 flaw. As for IIS 6.0 this would be the 3rd, Yes 3RD time it's been effected. And that's going all the way back to 2003. Much of this is do to the fact that MS rewrote IIS with version 6 after all the problems with IIS5.

As for SQL Server, I don't know it's flaw history but either way it seems that MS is getting better and faster at patching and overall security.
#4.5 vetmarkjensen on 21 Apr 2008 - 18:40
(GP007 said @ #4.4)
This looks like it's the first IIS 7.0 flaw.
...
Nah, there was a local privilege escalation issue in Feb of this year for IIS 7, according to Secunia.
#4.6 Kyanar on 22 Apr 2008 - 00:58
(Black.Mac said @ #4)
This is the 1st hole I've heard for IIS in a long time.


According to the linked Advisory (CVE, or Technet) this isn't a bug in IIS or SQL server, it's Windows.
(2 replies) #5 ralfs on 22 Apr 2008 - 06:05
This is a major flaw and we have been affected by it and so have thousands of servers already.

Do a google about nihaorr1.com and you will see how many servers are affected.

The flaw actually destroys your SQL database by injecting a javascript that redirects to nihaorr1.com and the only way to recover is to do the workaround steps that MS suggests and then restore the SQL database from a backup.

Yes if you don't have a backup you are screwed....
#5.1 +mrbester on 22 Apr 2008 - 11:23
Your flaw is crap insecure code allowing SQL injection attacks to be successful. The flaw in the Microsoft Advisory is completely different.
"Advisory"
How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:
• Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0
• ASP.NET configured to run with a trust level lower than Full Trust.
• Classic ASP code

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.

In other words, the server must have been weakened in order for this flaw to be exploited.
#5.2 Magallanes on 22 Apr 2008 - 13:00
(mrbester said @ #5.1)
Your flaw is crap insecure code allowing SQL injection attacks to be successful. The flaw in the Microsoft Advisory is completely different.
"Advisory"
How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:
• Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0
• ASP.NET configured to run with a trust level lower than Full Trust.
• Classic ASP code

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.

In other words, the server must have been weakened in order for this flaw to be exploited.


Having fun running ASP.net with a lower trust level and installing third parties software.


Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1390) © 2000 - 2008 Neowin.net