Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Downplays IIS Bug Threat

Soulskill posted more than 5 years ago | from the this-is-not-the-bug-you're-looking-for dept.

Microsoft 114

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

Sorry! There are no comments related to the filter you selected.

'only a specific IIS configuration is at risk' (5, Funny)

Jurily (900488) | more than 5 years ago | (#28024153)

The default?

Re:'only a specific IIS configuration is at risk' (4, Funny)

AliasMarlowe (1042386) | more than 5 years ago | (#28024305)

Did they give any configuration which is not at risk?

oblig (4, Funny)

Benanov (583592) | more than 5 years ago | (#28024339)

One that isn't installed.

Re:oblig (1)

jonaskoelker (922170) | more than 5 years ago | (#28030169)

Lalalala, I'm not listen(2)ing! ;-)

Re:'only a specific IIS configuration is at risk' (4, Funny)

Jurily (900488) | more than 5 years ago | (#28024357)

Did they give any configuration which is not at risk?

Yes. it's a hidden one, only attainable by those who see the Light. All hail fdisk!

Re:'only a specific IIS configuration is at risk' (5, Informative)

Ralish (775196) | more than 5 years ago | (#28024787)

Did they give any configuration which is not at risk?

Yes, several: More information about the IIS authentication bypass [technet.com]

Worth noting that this only affects IIS 5.x and 6.x, which admittedly, accounts for the huge majority of IIS webservers, but IIS 7.x (Windows Server 2008 and above) are not affected.

Re:'only a specific IIS configuration is at risk' (0)

Anonymous Coward | more than 5 years ago | (#28026779)

Party pooper!!!

Re:'only a specific IIS configuration is at risk' (0)

Anonymous Coward | more than 5 years ago | (#28025373)

the standalone version is not affected.

Re:'only a specific IIS configuration is at risk' (0)

Anonymous Coward | more than 5 years ago | (#28026123)

They just published the latest fix. Go to Control Panel > Uninstall Programs. Uninstall IIS. Then go to apache.org and install apache. Problem resolved.

Re:'only a specific IIS configuration is at risk' (5, Informative)

Anonymous Coward | more than 5 years ago | (#28024503)

Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default.

Only IIS 5, 5.1 and 6 are potentially vulnerable under these conditions.

IIS 7 is not vulnerable even with WEBDAV installed.

Re:'only a specific IIS configuration is at risk' (3, Funny)

cayenne8 (626475) | more than 5 years ago | (#28024683)

"Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default."

Sounds like you could avoid it by not allowing Unicode either...

I mean, who really needs 'all' those characters?

Re:'only a specific IIS configuration is at risk' (2, Funny)

rvw (755107) | more than 5 years ago | (#28025203)

I mean, who really needs 'all' those characters?

Here on slashdot, we only need one character: Anonymous Coward!

Re:'only a specific IIS configuration is at risk' (1)

HAKdragon (193605) | more than 5 years ago | (#28026789)

What about CowboyNeal?

Re:'only a specific IIS configuration is at risk' (5, Informative)

timbck2 (233967) | more than 5 years ago | (#28025231)

IIRC, WebDAV *is* configured by default on IIS 5. Here's a link to instructions on disabling it (the procedure involves adding a registry value and restarting IIS):

Microsoft KB Article #241520 [microsoft.com]

Re:'only a specific IIS configuration is at risk' (1)

queenb**ch (446380) | more than 5 years ago | (#28026485)

Prolly is the default... Failure is not an option... it comes bundled with Windows. And the best fix for Windows... installing Ubuntu.

Slashdot reported not at risk... (-1, Offtopic)

dargaud (518470) | more than 5 years ago | (#28024159)

...although they use an IIS server with a modified header to make it look like Apache, slashdot.org has been reported 'probably' not at risk since nobody understands its unicode support anyway.

WebDAV used much? (2, Interesting)

TranceThrust (1391831) | more than 5 years ago | (#28024173)

Is Microsoft 'correct' in downplaying, in the sense that the particular vulnerable configuration mentioned is not used by many?

Re:WebDAV used much? (5, Informative)

Shados (741919) | more than 5 years ago | (#28024217)

Yup. You need a fairly specific setup: WebDav enabled on the same application as NTLM authentication (kerberos and anonymous/form is ok as far as I understand), and there must not be anything on top of WebDev for authentication (such as one of the various single signon ISAPIs or a CMS exposing its content through webdav with some form of custom security schemes).

Since no one in their right mind will have WebDav and NTLM exposed to a public site, then the "hackers" can only come from within in the vast majority of scenarios. Don't get me wrong: that is severe, as most hacking DOES come from within.

What makes it far more major, is that its one of the extremely rare remotely exploitable vulnerability that IIS6 have had. Contrary to Slashdot beleif, IIS6 (IIS7 more so though) is totally rock solid and extremely secure, so having something like that pop up is quite scary.

Re:WebDAV used much? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28024259)


Since no one in their right mind will have WebDav and NTLM exposed to a public site

Have you ever worked in IT? Things "no one in their right mind" would do happen all the time. People don't want to remember 10 different passwords, so I can easily see people wanting to be able to update the website with their "windows password". I'm betting this configuration is far more common than you might think.

Re:WebDAV used much? (-1, Troll)

Will.Woodhull (1038600) | more than 5 years ago | (#28024467)

So this ins't such a big deal because... well, because... uh, I'm just supposed to trust that the IT Guy knows what he's doing. I guess.

Maybe you can help me understand this mess a little better. If you would just tell me what the equivalent vulnerability is in that other really popular server called Apache, then perhaps I could go back to trusting that the IT Guy really knows what he's talking about when he starts gibbering like this.

So how could I duplicate this vulnerability on Apache?

Re:WebDAV used much? (1)

Will.Woodhull (1038600) | more than 5 years ago | (#28026433)

Parent post has been trounced (doubly!) as a troll, and it certainly dripped sarcastic acid. But the question it posed does seem like a valid one:

Is there any equivalent configuration of Apache that would expose a similar vulnerability? That is, is this kind of vulnerability something that could possibly affect Mac, Linux, BSD, or Unix environments, or is it solely limited to Microsoft shops?

I haven't worked on MS-specific stuff for nearly a decade (except as needed to get MSIE to do what standards-compliant browsers do). So I don't know WebDEV or any of the CASE tools that work with MS. And I'm kind of wondering whether this story has any significance to anyone outside of the Microsoft ecosystem. (Other than the obvious fact that no one should entrust any private data to any web site being run with Microsoft products, unless they are confident that the responsible IT department understands these kinds of risks and goes the extra steps necessary to assure that clients don't become victims.)

Re:WebDAV used much? (0)

Anonymous Coward | more than 5 years ago | (#28026793)

Nobody should trust their data to a Linux server either, then, unless they are confident that the responsible IT department understands these kinds of risk and goes the extra steps necessary to assure that clients don't become victims.

Seriously how do people come up with that bullshit?

Re:WebDAV used much? (1)

Sylver Dragon (445237) | more than 5 years ago | (#28026881)

As far as I know, Apache doesn't have anything like WebDAV directly, there might be all kinds of third party applications which create a similar service, but then they probably have their own host of issues.

To be honest, this falls well within the "meh" category of problems. If you have WebDAV running, either you chose to turn it on for very specific reasons, and hopefully made an informed decision before you did so; or, you are running a decade old version of IIS on a decade old operating system and never changed the defaults.

Re:WebDAV used much? (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28024543)

its one of the extremely rare remotely exploitable vulnerability that IIS6 have had. Contrary to Slashdot beleif, IIS6 (IIS7 more so though) is totally rock solid and extremely secure

Ah, a Microsoft apologist.

Thanks for the warning. I'll ignore your previous statements.

Re:WebDAV used much? (4, Informative)

blincoln (592401) | more than 5 years ago | (#28024735)

Since no one in their right mind will have WebDav and NTLM exposed to a public site

They will if they're running Outlook Web Access, and haven't manually disabled NTLM using a command-line vbscript that comes with IIS.

Re:WebDAV used much? (0)

iamhigh (1252742) | more than 5 years ago | (#28024893)

They will if they're running Outlook Web Access, and haven't manually disabled NTLM using a command-line vbscript that comes with IIS.

There is so much wrong with that statement... First if it is a vbscript, it isn't manual and it isn't command-line.

Also when using Windows Integrated Auth, Kerberos is the default authentication. If Kerberos fails, then it uses NTLM. Unless you can provide a link that says otherwise...

Re:WebDAV used much? (5, Informative)

blincoln (592401) | more than 5 years ago | (#28025429)

There is so much wrong with that statement... First if it is a vbscript, it isn't manual and it isn't command-line.

Do me a favour. Find your IIS root folder (C:\Inetpub by default). Go into the AdminScripts subfolder. Try double-clicking adsutil.vbs and see how well it works running as a GUI app instead of being called from the command line using cscript.

Also when using Windows Integrated Auth, Kerberos is the default authentication. If Kerberos fails, then it uses NTLM. Unless you can provide a link that says otherwise...

Kerberos is allowed by default, but so is NTLM. If you want to *disallow* NTLM, you have to do this using the script I mentioned above, and in my original post. The syntax is e.g.:

cscript -nologo adsutil.vbs SET w3svc/1/root/NTAuthenticationProviders "Negotiate"

Seems pretty manual to me. But what do I know?

PS: You can verify this on your IIS install using the GET version of that command. The default is "Negotiate,NTLM" (which is also true if it's not explicitly defined). Most IIS admins and engineers don't know how to do things like set up SPNs for Kerberos authentication, which I'm sure is why NTLM is allowed by default.

Re:WebDAV used much? (2, Informative)

blincoln (592401) | more than 5 years ago | (#28027835)

Note 1: see this Microsoft article [microsoft.com] for the official documentation.

Note 2: I suspect that "Negotiate" might actually mean "use the operating-system-level security configurations of the client and the server to determine which protocol is acceptable", so that in order to truly *force* Kerberos you might also have to disallow all varieties of NTLM in the security policy for the server. That's just a guess though.

Re:WebDAV used much? (1)

iamhigh (1252742) | more than 5 years ago | (#28029153)

Yep, forgot about cscript having to be called from command line. Wouldn't you know when I try to talk some shit, I am wrong. Oh well, my apologies.

To your other post, negotiate is referring to Kerberos. I don't know why the don't call it Kerberos, but it relies on *negotiating* some crap (I cant remember details right now) and then sending credentials. Confusing, yes.

Re:WebDAV used much? (1)

charlieman (972526) | more than 5 years ago | (#28027391)

"I'm right until you prove me wrong" ?

Re:WebDAV used much? (1)

Amouth (879122) | more than 5 years ago | (#28024937)

OWA doesn't use WebDav

i don't know anyone that uses WebDav..

the problem isn't in using NTLM (still not the best thing to do) but it is with WebDav

Re:WebDAV used much? (1)

blincoln (592401) | more than 5 years ago | (#28025469)

OWA doesn't use WebDav

It actually does, as I was most disappointed to discover a year or two ago. I don't have time to find official documentation on the MS website, but here's an example of some testing that was done against it [cookcomputing.com] .

Re:WebDAV used much? (1)

Amouth (879122) | more than 5 years ago | (#28025699)

But it isn't required.. for that to work you have to allow webdav which isn't default.

you can still use webdav style searchs using exlodb.

OWA works fine with webdav blocked on iis6

Re:WebDAV used much? (4, Informative)

blincoln (592401) | more than 5 years ago | (#28027755)

The system-wide WebDAV isn't required. Exchange installs its own, separate WebDAV components, which are.

See:

http://support.microsoft.com/kb/309508/ [microsoft.com] ("Exchange 2000 components use Web Distributed Authoring and Versioning (WebDAV) and other Hypertext Transfer Protocol (HTTP) verbs that are not allowed by the default configuration [of the IIS Lockdown and URLScan tools].")

http://windowsitpro.com/article/articleid/38396/critical-webdav-vulnerability-are-your-exchange-servers-safe.html [windowsitpro.com] ("You can't disable WebDAV on your Exchange 2000 servers because OWA 2000 depends on WebDAV")

and

http://windowsitpro.com/article/articleid/45356/deciding-if-and-how-to-disable-webdav-access.html [windowsitpro.com] ("If you're trying to disable Exchange 2003's DAV implementation, be aware that Outlook Web Access (OWA) and several other Exchange components depend on DAV. By blocking specific DAV verbs at the network level (through a firewall) or by installing URLScan, you will break the Exchange DAV implementation."). This last article specifically mentions the separate DAV DLLs for Exchange.

Re:WebDAV used much? (0)

Anonymous Coward | more than 5 years ago | (#28028421)

It actually does, as I was most disappointed to discover a year or two ago. I don't have time to find official documentation on the MS website, but here's an example of some testing that was done against it.

Your example is from 2002, which predates windows 2003 server (with IIS6). Webdav is disabled on IIS6 by default. Installing Exchange & OWA doesn't enable webdav.

Webdav IS enabled on win2000 server (with IIS5) by default.

Re:WebDAV used much? (0)

Anonymous Coward | more than 5 years ago | (#28025877)

WebDav is more common than you think. It's what the FrontPage Server Extensions run on. Some very large hosting providers still use that, as well as some versions of cPanel, and lots and lots of little known but public facing corporate web sites.

Some default configurations of IIS include WebDav, and if you check the box to install all the stuff, IIS will put in web sites using WebDav.

Microsoft is right to downplay this though. The attack seems to be one of privilege escalation, and applies to the IUSR_machine account used for anonymous access. Which, in turn, would require a brain dead configuration of allowing the world to read/write in the first place.

This is bug is a non-issue.

Re:WebDAV used much? (1)

marcosdumay (620877) | more than 5 years ago | (#28027813)

Funny thing, since WebDav is the API MS created to let other programs access Exchange OWA.

Re:WebDAV used much? (1, Flamebait)

gadget junkie (618542) | more than 5 years ago | (#28024775)

[...]

What makes it far more major, is that its one of the extremely rare remotely exploitable vulnerability that IIS6 have had. Contrary to Slashdot beleif, IIS6 (IIS7 more so though) is totally rock solid and extremely secure, so having something like that pop up is quite scary.

Contrary to Slashdot belief, Slashdotters usually rant about Microsoft client operating systems, like Vista or Win7. Ranting about Server Software is bad form, primarily because Linux/Apache is the primary platform, [netcraft.com] and Slashdot should therefore rant that Linux is nipping MS in the bud with its uncompetitive practices.

Re:WebDAV used much? (0)

Anonymous Coward | more than 5 years ago | (#28024867)

Yeah, talk about priced below cost!

Re:WebDAV used much? (3, Insightful)

93 Escort Wagon (326346) | more than 5 years ago | (#28024811)

Since no one in their right mind will have WebDav and NTLM exposed to a public site, then the "hackers" can only come from within in the vast majority of scenarios.

You're making the mistake of assuming that most IIS admins know what they're doing. I'm sure most of them think they know what they're doing, but I'm betting this flaw will get exploited from without much more often than you think it will.

Re:WebDAV used much? (1)

TheRaven64 (641858) | more than 5 years ago | (#28026109)

I'm sure most of them think they know what they're doing

I'm not. The big selling point of IIS is that it's possible to install it and run it by just clicking on a simple GUI, so it can be run by people who don't really understand computers. A lot of 'IIS admins' are likely to be some guy who knows slightly more than anyone else in the company about computers but is really employed to do something else.

Re:WebDAV used much? (2, Funny)

dbIII (701233) | more than 5 years ago | (#28024947)

IIS6 (IIS7 more so though) is totally rock solid and extremely secure

Reality just stood up and punched that misconception on the nose.

Re:WebDAV used much? (1)

jimmypw (895344) | more than 5 years ago | (#28025181)

I'll concur IIS 6/7 is somewhat solid and acceptably secure that is only if the administrator knows what he is doing. Unfortunatly some if not most IIS setups are incredibly complex thus negating the security features provided.

Re:WebDAV used much? (1)

Culture20 (968837) | more than 5 years ago | (#28026087)

most [successful] hacking DOES come from within.

Edited for correctness. By far, the majority of attempts come from outside.

Re:WebDAV used much? (1)

marcosdumay (620877) | more than 5 years ago | (#28027581)

Well, don't install any Dav file browser trought IIS on a intranet, so. It is so easy to work around such things as not having a web based version control, like subversion, or any kind of web based file sharing... I only hope one's mission critical software don't come with hidden Dav clients.

Re:WebDAV used much? (-1, Troll)

Jurily (900488) | more than 5 years ago | (#28024241)

Is Microsoft 'correct' in downplaying, in the sense that the particular vulnerable configuration mentioned is not used by many?

'Correct', in the same sense downplaying the Holocaust because it wasn't an Apocalypse is 'correct'. It might be good to know not everyone was affected, but if you're in the middle of it, you're still fucked.

Subliminal messaging (2, Insightful)

ZinnHelden (1549931) | more than 5 years ago | (#28024223)

'only a specific IIS configuration is at risk from this vulnerability.'

In my head I keep hearing, "don't use webDAV, use Exchange and SharePoint!"

Re:Subliminal messaging (2, Insightful)

Jurily (900488) | more than 5 years ago | (#28024341)

In my head I keep hearing, "don't use webDAV, use Exchange and SharePoint!"

Funny. It sounded like "use software with open standards and secure implementations" to me.

Re:Subliminal messaging (3, Funny)

ZinnHelden (1549931) | more than 5 years ago | (#28024419)

Yeah, I may hear their insane whispering, but I'm not giving up my Citadel server.

Re:Subliminal messaging (1)

goltzc (1284524) | more than 5 years ago | (#28024441)

Don't portions of SharePoint use webdav and ntlm authentication?

Re:Subliminal messaging (1)

lukas84 (912874) | more than 5 years ago | (#28024667)

Yes, of course.

But publishing Sharepoint directly to the Internet is insane. You should put an ALG in front of it, for example ISA Server.

Re:Subliminal messaging (1)

Richard_at_work (517087) | more than 5 years ago | (#28024671)

Both are fairly fundamental parts of SharePoint for the integration features, but you would never expose either to the world when using an external facing SharePoint deployment. Also your SharePoint server should be behind an application aware firewall such as ISA Server anyway.

Re:Subliminal messaging (1)

marcosdumay (620877) | more than 5 years ago | (#28027859)

As do some portions of Exchange. The GP was probably after some Funny mods, not informative.

Re:Subliminal messaging (1)

Ralish (775196) | more than 5 years ago | (#28024979)

Funny. It sounded like "use software with open standards and secure implementations" to me.

I personally use Apache for my web-facing server, but that being said, IIS 6 (Windows Server 2003) has had a very good security track record [secunia.com] . Secunia tracks 6 advisories since its release back in 2003 and only one of those is unpatched, that being the vulnerability this story is about.

In contrast, Apache 2.2 was released in late 2005 and has 10 exploits listed [secunia.com] , with 2 unpatched and 2 with partial fixes. The exploits seem to be on average less severe, but there's more of them, and some aren't patched.

My point being, you might not want to jump to conclusions ;) IIS 5.x and earlier was absolutely shocking for security, but IIS 6.x and above does have significant improvements. It's no coincidence that IIS 6 is not vulnerable to this exploit out of the box while IIS 5 is.

It deosn't seem to be default... (1)

tychovi (1221054) | more than 5 years ago | (#28024243)

since ~70% of the hits on a quick google are how to turn on and configure WebDAV. But this also means that there seems to be a good bit of interest in using it...

Are they big enough? (-1, Offtopic)

camcorder (759720) | more than 5 years ago | (#28024289)

I think the story of big is a lie, and I see it all the time in "big" corporations. Employing thousands, and having revenues of billions of dollars make you look "big" but in reality they are incapable of doing very basic things, maybe their "big" body paralizes themselves, but that does not change the truth.

While most of the companies dream to be one of these "big" ones, they miss that they are much more helpful to their customers when they are "small", because I never got ignored by a small company I worked with about a bug in their service, and moreover they quickly fixed or showed me a work around it quickly.

And what we see with "big" ones? Posted company Microsoft, knows the problem, they have money, and manpower to fix it. Or that's what we believe in. At the end, what we see is, their 'capability' is such a big lie and only hidden behind the images we're supposed to believe.

This economic crisis made me think more about the concept of "big". I see lots of "big" companies these days, laying of people as if their employees are member of flocks that they wanted to butcher. It's not their bussinesses that drives them but the numbers and 'analysists'. I mean, think about Lehman Brothers, and how in the earth you think of something to be "big", if it collapsed in just a single year. Who can't claim same thing won't happen for "big" companies in IT industry. Now I belive that "big corporations" are just projections of small companies together which does hell lot of better job than the leeches they serve for.

Re:Are they big enough? (0, Offtopic)

MickyTheIdiot (1032226) | more than 5 years ago | (#28024475)

I posted yesterday in reply to someone yesterday I wrote, after he gave a list of multinational corporation products we would "miss" if we didn't have them, that there are damn few products that have to be made by a big corporation, especially given the Internet and the technology available to us now as opposed to 25 or 30 years ago.

I think you can take that further and say there are a lot of products that can be made a hell of a lot better by a smaller company rather than a multi-national. If that weren't the case, why would we see so many cases of huge corporations that have to spin off or have to set up semi-autonomous units in order to make good quality products.

Also the definition of "big corporation" is HAZY right now methinks. We should probably be defining "big" these days as in number of dollars or as number of countries. The same tech that makes it possible for small companies to compete on an large scale allows big companies to work with small numbers of workers. "Big" companies don't need the unwashed masses like they used to; they can easily be multi-billion with a relative handful of people. Especially in the US, where the only business model there seems to be right now is 1)buy from overseas 2)sell at huge markup 3)PROFIT!!

Re:Are they big enough? (-1, Offtopic)

MickyTheIdiot (1032226) | more than 5 years ago | (#28024499)

Meta-modders take note... how the hell is that article flamebait??

Re:Are they big enough? (2, Insightful)

x2A (858210) | more than 5 years ago | (#28024653)

Anything Microsoft related on Slashdot forums is automatically flamebait because of the emotional reactions the mere word 'Microsoft' triggers in so many Slashdotters which makes it unpossible to have a proper serious, well thought out debate. Just look at the replies it's getting. It's pathetic huh.

Re:Are they big enough? (1, Funny)

Anonymous Coward | more than 5 years ago | (#28025719)

That sounded dangerously close to being pro-Microsoft, comrade...

Re:Are they big enough? (1)

x2A (858210) | more than 5 years ago | (#28027553)

What, because emotional hysteria is the necessary defence for Microsoft's evils in the world? If we aren't angry and if we don't hate, then MS wins???

Re:Are they big enough? (0)

Anonymous Coward | more than 5 years ago | (#28028145)

What, because emotional hysteria is the necessary defence for Microsoft's evils in the world? If we aren't angry and if we don't hate, then MS wins???

See ? You got it in the end.

Not a typical configuration (4, Informative)

jsnipy (913480) | more than 5 years ago | (#28024299)

This is really not a typically configuration for an outward facing site. Acting like this is some great find and "game over" scenario is a little far fetched. "Downplay" is flamebait in this context. But, it does make a good m$ bashing opportunity!

Re:Not a typical configuration (1, Troll)

Idiot with a gun (1081749) | more than 5 years ago | (#28024385)

Mayhaps it isn't a major bug, but this is exactly what Microsoft does every time. Downplay their bugs (and take their sweet time patching them), while bashing any high profile bugs that crop up in open source projects. I'd be more impressed if their response was "There's a bug in IIS, don't use feature X or configuration Y while we fix it."

Re:Not a typical configuration (1)

Ralish (775196) | more than 5 years ago | (#28025009)

Workaround #1: Turn off WebDAV
Turning off WebDAV might be a good option if you are not using it or can live without out until we have a security update available. You can find instructions at http://support.microsoft.com/kb/241520 [microsoft.com] .

Source: http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx [technet.com]

Re:Not a typical configuration (1)

turbidostato (878842) | more than 5 years ago | (#28030693)

"Turning off WebDAV might be a good option if you are not using it or can live without out until we have a security update available"

Of course, not turning it on to start with, if you don't use it or can live without it is out of consideration.

Re:Not a typical configuration (-1, Offtopic)

ionix5891 (1228718) | more than 5 years ago | (#28024399)

whats this? a 4rd msft article on /. frontpage!

looks for a linux article... nope none.. does mac count?

no wonder linux is scratching with 1% "penetration" when the flagship linux "propahanda" (i kid i kid thats a joke) site cares more about windooz

all publicity is good publicity they say...

Re:Not a typical configuration (0, Offtopic)

ionix5891 (1228718) | more than 5 years ago | (#28024423)

edit: 4th :P

when will slashcode implement editing and Unicode?

not a typically configuration (1)

rs232 (849320) | more than 5 years ago | (#28028213)

"This is really not a typically configuration for an outward facing site"

How do you know this, is IIS shiped by default with this 'safe' configuration?

"the flaw is currently being exploited in online attacks, according to CERT", and according to theReg, Ball State University was hacked using this exact same exploit.

'Shortly after the attack, students checking their iWeb pages were greeted with a message [slashdot.org] that said they had been hacked'

ISS bug (1)

googlesmith123 (1546733) | more than 5 years ago | (#28024355)

Nasa downplays ISS bug.

Re:ISS bug (0)

Anonymous Coward | more than 5 years ago | (#28024453)

Will probably only affect very few people when it crashes into the earth.

Re:ISS bug (0)

Anonymous Coward | more than 5 years ago | (#28024609)

ISS Bugs like in Killer Insects Loose In Space.

Re:ISS bug (2, Funny)

Ash-Fox (726320) | more than 5 years ago | (#28024771)

Nasa downplays ISS bug.

Fortunately they have got a Russian on board the space station.

"This is how we fix things on Russian space station!" --Lev Andropov

(He then proceeds to take a hammer and whack the equipment.)

The researcher nixes MS downplaying (4, Informative)

Twillerror (536681) | more than 5 years ago | (#28024363)

http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html [zoller.lu]

Several news stories seem to allude that Microsoft is artificially downplaying the threat, citations of myself are used to underline the headline in an "us against Microsoft" kind of way. I want to clarify that I have the utmost respect of the MSRC team and I don't suspect Microsoft to willingly downplay anything. They also claim I am from Belgium, I am obviously from Luxembourg. The bug also is not the same as the IIS4/5 one, it's root cause is similar. That's about it.

Translation for American audiences ONLY (1)

Zontar_Thing_From_Ve (949321) | more than 5 years ago | (#28025185)

They also claim I am from Belgium, I am obviously from Luxembourg.

I used to work at a US office of a large French company, so I have some insights into this statement that might not be apparent to the typical American. Consider this as if he had said:
They also claim I am from Alabama. I am obviously from Tennessee.
and you'll have a rough idea of what he is saying and why he doesn't like it to be said that he's from Belgium.

Re:Translation for American audiences ONLY (1)

ShadowRangerRIT (1301549) | more than 5 years ago | (#28025679)

But I'm from D.C., and live in NYC. So both Alabama and Tennessee sound like hick country to me! Can I get a different analogy?

I'm half joking.

Internal Memo (5, Funny)

geoffrobinson (109879) | more than 5 years ago | (#28024375)

To Whom It May Be Concerned:

Warner Bros., in an ill-advised attempt to promote Terminator Salvation, created a Skynet virus which aims to take over the world.

For some reason, it targets IIS.

We're doomed. Please head to the bomb shelter and the world will start again with a base of Microsoft employees.

thank you,
Management

Re:Internal Memo (0, Troll)

93 Escort Wagon (326346) | more than 5 years ago | (#28024845)

the world will start again with a base of Microsoft employees.

Assuming they're allowed to reproduce - I've met several of them, and I don't think that's a safe assumption (unless they're interbreeding, but that might not produce viable offspring).

Re:Internal Memo (0)

Anonymous Coward | more than 5 years ago | (#28024855)

To Whom It May Be Concerned:

Fox, taking a clue from the RIAA and MPAA in an ill-advised attempt to piss off its own fanbase, cancelled Terminator: The Sarah Conor Chronicles [guardian.co.uk] .

Re:Internal Memo (1)

geoffrobinson (109879) | more than 5 years ago | (#28025093)

While I'm glad they are setting this movie in the future, my enthusiasm has been diminished by the cancellation. Seriously, I need to make sure I don't get too attached to any show on that network.

Re:Internal Memo (1)

SBrach (1073190) | more than 5 years ago | (#28029797)

Like the Simpsons?

No not a Microsoft Bug (-1, Troll)

LinuxOverWindows (1549895) | more than 5 years ago | (#28024445)

The entire OS has this kind of bug, it's simple closed source, closed mind, open bugs. I don't want to rag but are we surprised. Now we have to wait for them to fix the bug which is going to involve getting a patch. Knowing how poorly Windows is designed someone will crack the patch to get access which will need a patch and so on.

It's a really simple formula, Windows = Broken or in c code, Windows == Broken, there is always a patch, a bug, a hole or an excuse. Come on Microsoft test your software.

Thanks
LinuxOverWindows

Re:No not a Microsoft Bug (1)

Paralizer (792155) | more than 5 years ago | (#28024841)

Are you implying that no other operating system has bugs, or that open source guarantees bug free code? I'm pretty sure you'd be wrong.

(Disclaimer: I love Linux and have been using it at home for years, but I'm sure as hell not going to go around and tell everyone that it's rock solid and bug free just because it's open and I like it.)

Re:No not a Microsoft Bug (1)

heffrey (229704) | more than 5 years ago | (#28025155)

This attitude (open implies better) is what I call faith based IT.

Re:No not a Microsoft Bug (1)

LinuxOverWindows (1549895) | more than 5 years ago | (#28025747)

I never said that, but what I'm implying and is true with out a doubt is that closed source has more bugs!

Good news (1)

john_roy (1538777) | more than 5 years ago | (#28024489)

This is the kid of news that always put a smile on my face.
It's reassuring to know that hackers have plenty to entertain themselves with windows servers, letting my Linux boxes alone.

Serious question (3, Interesting)

Ash-Fox (726320) | more than 5 years ago | (#28024643)

Serious question, has the Apache package even had any bad vulnerabilities like this in the past ten years?

Re:Serious question (1)

iamhigh (1252742) | more than 5 years ago | (#28024761)

Re:Serious question (1)

Just Some Guy (3352) | more than 5 years ago | (#28024879)

That query shows all results even tangentially related to Apache family. You need to look at the advisories for Apache 2.2 [secunia.com] , Apache 2.0 [secunia.com] , and Apache 1.3 [secunia.com] specifically.

Re:Serious question (1)

marcosdumay (620877) | more than 5 years ago | (#28028009)

Wow! [secunia.com] Using a 403 error page to make another server put bad code into the user's browser is genial. That is why I like security people, I'd never think about something lke that.

Re:Serious question (1)

AvitarX (172628) | more than 5 years ago | (#28024961)

I see 541 advisories(many look like duplicates by distro at a glance), but I am NOT going to look for myself and see if any of them are major. That sounds like a lot of work.

Re:Serious question (2, Informative)

dkleinsc (563838) | more than 5 years ago | (#28024973)

For lazy people, about 3 vulnerabilities classified as "Highly" critical, 0 "Extremely", out of a total of around 50 across Apache 1, Apache 2.0.x, and Apache 2.2.x. Of the 50, the vast majority are at least partially fixed.

It's hard to get a fix on equivalent numbers for IIS, since they all seem to fall under the MS Windows category.

Re:Serious question (5, Interesting)

Twillerror (536681) | more than 5 years ago | (#28025071)

Serious answer. Apache is a modular beast and since doesn't get blaimed for modular problems like this.

There have been issues even bigger in various mods like mod_php.

Even code red was a problem with Internet printing and not really the core IIS. Maybe IIS should have blocked it and already had URLScan, but ultimately it was just passing a URL along some C++ code that blew up. MS created that .DLL so we can blame MS..but blaiming IIS itself was slightly off.

The core of both IIS and Apache have been pretty well hardened. Hence why WebDav is turned off in IIS 6. Even .ASP has to be turned on during setup.

MS puts out it's own mods essentially...where Apache would have a different team working on WebDAV. If the same "exploit" was found in mod_webdav who could we really blame. Yell at the Apache foundation...no we would professionally fix the issue. Maybe some flaimbaiters on the other side would yell..."see open source is less secure".

Softwares has bugs, some of them are security related. When open source creates them they are presented as bugs...when MS creates them it is some kind of great conspiracy to rule the world. Some guy just like you wrote this bad code and is probably feeling like crap today. Some tester let it get thru and is feeling really crappy today. A bunch of dudes in at both MS and the rest of the security community are pulling up their britches and getting it fixed...move along nothing to really see here.

Re:Serious question (1)

Foofoobar (318279) | more than 5 years ago | (#28026129)

Well the problem isn't just that one developer and tester let it through. They let it through TWICE! After the first time, you would have thought that they would have built a class/function/api to handle all URL's and do the cleaning automatically. That way any app sending URL's through the system could have them cleaned the same way so as to avoid an exploit.

This constant lack of consistency is a Microsoft trademark where one hand doesn't know what the other hand is doing and as a result issues that they say were fixed keep coming up over and over and over. And I think that's the real bitch people have. If there's any kind of conspiracy, it's a conspiracy of dunces.

Re:Serious question (1)

cl0s (1322587) | more than 5 years ago | (#28027331)

Yea difference is, if I'm Big Company A using Apache and we find a bug/security flaw we can hire someone to fix it or call up apache or the mod creator and pay him to fix it immediately and patch our servers. Big Company B that uses IIS finds a bug and they can either turn the service off and wait for a fix to be released (which might not be an option depending on how critical that service is for the company) or just have to hope its not exploited while Microsoft patches it - whenever they feel like, depending on the severity and how many other customers it also effects, etc.. Even Small Company can have an influence or fix whatever is found in Apache themselves. With IIS, you kind of just have t wait.

I don't care which one you prefer but that's just the truth of it.

Re:Serious question (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28027567)

Actually, if you're a big enough company you can get the same response from Microsoft. You call through their incident support line and get through to the project support lead for the product in question and they can manage putting together a hot fix. It will cost you, but it would cost you either way. I worked for a fairly small company five years ago and we got the lead developer from the Microsoft SNA division to create a custom patch for a bug that we identified on a Sunday morning at 2:00 AM. In all it cost us $200.

In the majority of cases the company is going to sit tight and wait on support through the platform company, whether that be Microsoft, Red Hat, Oracle, Dell, whatever. The number of companies that actually seek out a custom fix would be in the extreme minority as deploying such custom code into a production environment is a liability in of itself.

It's not a big deal (5, Funny)

SlappyBastard (961143) | more than 5 years ago | (#28024705)

Anyone using the exploit is prompted repeatedly about whether they really, really want to do it.

Geez. Don't you people know anything about Windows security?

Re:It's not a big deal (1)

pyrr (1170465) | more than 5 years ago | (#28025281)

Security by annoyance?

This is another Unicode hole (2, Interesting)

spitzak (4019) | more than 5 years ago | (#28028581)

It sounds like the basic cause is something attempting to translate a string into "unicode" before using it.

For some reason, normally intelligent programmers turn into complete morons when presented with UTF-8 and other Unicode encodings. They become convinced that it is somehow physically impossible to do anything to these strings without first finding all the "characters" (actually Unicode code points, which are not "characters") and will write pages and pages of elaborate and bug-prone code to do this and "count characters". This code is COMPLICATED and there is the basic fact that the mapping is often not 1:1 and even when it is different implementations vary and thus don't invert correctly. This causes bugs, nasty ones like you can see right. here.

In fact it would be trivial to just treat it as a string of bytes that happens to maybe represent some text. The ONLY time you need "characters" is when you are rendering the string into an image that humans will look at, and if you want to do semantic analysis such as grammar checking. It is not needed if you are looking for the period that starts the extension or trying to find a number.

What is really sad and mysterious is that this disease only seems to be triggered by UTF-8. Nobody worries about finding the boundaries between "words". Nobody seems to worry about UTF-16 surrogate pairs, and nobody was really concerned with older Japanese multi-byte encodings.

This is NOT Microsoft-specific so don't feel complacent. Microsoft's moronic decision to name files with UTF-16 is really bad, but witness open source Python 3.0 which has decided that all strings will have to be converted to "unicode" (acutally UTF-16 or UTF-32 depending on the platform) before anything is done to them. Python is heavily used to parse HTML and URLs and I expect a huge mess from this stupid idea.

I'm sure there will be a few responses claiming some magical property of "characters" so that you can't do anything about it. PLEASE, try some thought experiments. Try substituting "words" in your example, it will either be stupid, or you will realize that that only a tiny portion of software needs it. Go and write some code where you leave the strings in UTF-8 and maybe you will learn.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?