Another security hole has been identified on the Internet Information server produced by Microsoft. This one, however, is merely a new exploit of an old vulnerability that many online companies have chosen to ignore, according to Microsoft.
Microsoft, who originally released a security bulletin in July of 1998, issued an update last week pursuant to information provided by an online security firm. The vulnerability involves the Microsoft Data Access Components (MDAC), and could allow, according to the company, “a Web site visitor to take unauthorized actions on a hosted Web site using Internet Information Server.”
Gregory H. Gonzalez, an executive with Information Technology Enterprises,Inc.(ITE), discovered a new exploit of what was thought to be an old problem and reported it to Microsoft last month. Since then, a hacker identified as Rainforest Puppy has identified another exploit, leaving many online firms bewildered and alarmed.
Are You Vulnerable?
The exploit should be of concern for companies using MDAC 1.5 and 2.0, and possibly 2.1, running on Microsoft’s IIS 3.0 or 4.0. Attackers may be able to execute shell commands, tunnel data requests through a private back-end network and permit unauthorized access to secure files. Some reports have indicated that companies such as Compaq have already been impacted.
Gonzalez disclosed, in a Wired report, that 50 percent of the IIS sites that ITE examined have been affected. According to Microsoft, “the vulnerability requires a configuration change to eliminate it, rather than a patch.” Details are available through the official Web site of the Redmond, Washington-based software titan.
A Difference of Opinion Between the Security Experts
As they moved to help correct the situation, ITE attacked other online security firms. “Unlike some companies who would have exploited the hole and released it to the public,” said a company statement, ITE “feels obligated to the technology and business communities to go through the proper channels to warn the public.”
Online security firm L0pht, who both notifies software vendors and publicly posts exploit information upon discovering a vulnerability, operates under a policy known as “full disclosure.” The Boston-based-company maintains that their policy is necessary in order to get the software vendors involved to take action.
ITE’s statement demonstrates a growing controversy in the online security world. Many industry analysts continue to argue about the line between looking out for the greater good, as L0pht claims to do, and simple pranksterism.
With the L0pht release this week of a new network security product — and a similar product release forthcoming from hacker/cracker group Cult of the Dead Cow — the controversy, according to experts, will only expand.