Security Team Discovers New Microsoft Server Vulnerability

“We have been debating how to start out this advisory. How do you explain that 90% or so of the Windows NT web servers on the Internet are open to a hole that lets an attacker execute arbitrary code on the remote Web server?”

eEye’s Digital Security Team recently issued a security alert regarding the latest release of Microsoft’s Internet Information Server 4.0, “the most commonly used web server on the Internet.”

According to the eEye alert, while testing their Retina network security scanning product, they discovered that by utilizing what’s known as a buffer overflow bug in the web server software, an attacker could remotely execute code to enable system level access to all data housed on the server.

What this means, of course, is that outside, hostile forces could potentially exploit this vulnerability to assume control of Web sites, including e-commerce operations, accessing credit card information and more.

“When the team notified me of the breach, I felt the ground move,” commented Firas Bushnaq, president & CEO of eCompany LLC, an e-commerce firm and parent company of eEye. “Are you telling me that our Web sites, online businesses and our clients data are open to any cracker with half a brain?”

Microsoft Responds

Microsoft ‘s Security Advisor page posted a workaround to assist users in dealing with the problem, but at press time had not yet posted a patch “to eliminate the vulnerability altogether.”

According to a Microsoft security bulletin dated 6.15.99 — one week after eEye notified the software giant of the hole they’d discovered — the vulnerability could allow either denial of service attacks against an IIS server or, under certain conditions, it could allow arbitrary code to be run on the server.

The eEye advisory states that this security hole might permit remote access to a IIS server if an attacker finds a buffer overflow in .HTR files, exploiting a capability that allows users to remotely change their password. The ISM.DLL, that processes .HTR files, could be disabled, essentially granting the unauthorized access.

“We’ve Created The Hacker On Steroids”

Retina, The Network Security Scanner, is currently available for beta testing from eEye’s Web site. According to the firm, “one of Retina’s features utilizes an Artificial Intelligence engine that is designed to think like a hacker. Collecting data and mining for information from the target network or Web server.”

The data is then used in auditing efforts to spot potential vulnerabilities and weaknesses in security, such as what was found with the Microsoft server product. “We’ve just released the first beta of Retina one week ago and already we have more than three major exploits on our hands, and we’ve definitely created the hacker on steroids, I can imagine what’s coming in the next month,” stated a member of the eEye Digital Security Team.