Microsoft warns of web server flaw

Microsoft is investigating a newly reported flaw that could put websites at risk of attack. The company has issued an advisory on the vulnerability, which affects Windows XP Professional SP2, Windows Server 2003, Windows Vista and Windows Server 2008. The problem exists in Windows' handling of code within its Internet Information Services (IIS) and SQL Server.

If exploited, the vulnerability could allow a user to elevate access privileges to that of the LocalSystem administration tool. Microsoft warned that companies that make extensive use of user-provided code, such as site hosts, are especially vulnerable.

View: The full story @ vnunet

Report a problem with article
Previous Story

Shrinking patch windows hit by automated attacks

Next Story

Windows XP Service Pack 3 Released to Manufacturing

14 Comments

Commenting is disabled on this article.

This is a major flaw and we have been affected by it and so have thousands of servers already.

Do a google about nihaorr1.com and you will see how many servers are affected.

The flaw actually destroys your SQL database by injecting a javascript that redirects to nihaorr1.com and the only way to recover is to do the workaround steps that MS suggests and then restore the SQL database from a backup.

Yes if you don't have a backup you are screwed....

Your flaw is crap insecure code allowing SQL injection attacks to be successful. The flaw in the Microsoft Advisory is completely different.

"Advisory"
How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:
· Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0
· ASP.NET configured to run with a trust level lower than Full Trust.
· Classic ASP code

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.


In other words, the server must have been weakened in order for this flaw to be exploited.

(mrbester said @ #5.1)
Your flaw is crap insecure code allowing SQL injection attacks to be successful. The flaw in the Microsoft Advisory is completely different.

In other words, the server must have been weakened in order for this flaw to be exploited.

Having fun running ASP.net with a lower trust level and installing third parties software.


IIS has been pretty solid for several years. And this item, while serious, is locally exploitable only, so if you have trusted admins/maintainers with good passwords it isn't as serious as something remotely exploitable by any anonymous user.

Out of all the Microsoft products, it's IIS that I've always felt was the strong boy, hard as nails, robocop bit of sortware, and this is the first flaw I have heard of in AGES.

Couldn't agree more. My experience with IIS is 100% rock solid, I'd recommend it to all corporate customers.

This looks like it's the first IIS 7.0 flaw. As for IIS 6.0 this would be the 3rd, Yes 3RD time it's been effected. And that's going all the way back to 2003. Much of this is do to the fact that MS rewrote IIS with version 6 after all the problems with IIS5.

As for SQL Server, I don't know it's flaw history but either way it seems that MS is getting better and faster at patching and overall security.

(Black.Mac said @ #4)
This is the 1st hole I've heard for IIS in a long time.

According to the linked Advisory (CVE, or Technet) this isn't a bug in IIS or SQL server, it's Windows.