9 April 2017

Microsoft Zero Day to Stay Unpatched


Microsoft Internet Information Services (IIS) 6.0 has a Zero Day vulnerability attackers leveraged last summer and is likely undergoing exploitation now, researchers said.

The vulnerability is a buffer overflow in a function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2, and can end up triggered by attackers sending an overlong IF header in a PROPFIND request, said researchers at Trend Micro.

Unfortunately, Microsoft won’t patch the flaw because they stopped supporting Windows Server 2003 a few years ago (IIS 6.0 was in the OS).

There are a little over 600,000 publicly accessible IIS 6.0 servers on the Internet, and most of them are probably running on Windows Server 2003, according to a search of Shodan. Of these, a good 10 percent has WebDAV enabled to allow for remote web authoring, meaning there are possibly millions of websites out there exposed to this exploit.

The risk of exploitation can end up mitigated by disabling the WebDAV service on the vulnerable IIS 6.0 installation, but not all administrators will want to do it.

There is a fix out there from Mitja Kolsek, chief executive of Acros Security and co-founder at 0patch.

The patch is free and its source code is open for inspection.

Trend Micro researchers said in a post the most important things to know right now are:

• The flaw can be exploited remotely, and allows attackers to execute arbitrary code on a vulnerable machine

• A proof-of-concept exploit has been published on GitHub, so it could mean attackers are repurposing it

• The flaw affects 32-bit and 64-bit Windows Server 2003 with WebDAV functionality enabled. It doesn’t affect newer versions of IIS (7.0 or later) and newer versions of Windows Server

No comments: