A hacker has posted code on his Milw0rm website that could be used to attack a system running Microsoft Internet Information Services (IIS) server and install unauthorized software on it. The good news is that the attack appears to work only on older versions of IIS—versions 7.x are not affected. The flaw resides in the File Transfer Protocol (FTP) software used by IIS to transfer large files, meaning that FTP must be enabled for an attack to be succesful. The risk posed by this vulnerability isn't completely clear yet, but Microsoft says it is looking into the issue.

"Microsoft is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP) and are currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," a Microsoft spokesperson told Ars. The software giant will take steps to determine how customers can protect themselves if the vulnerability is confirmed and will take whatever action it determines is appropriate to protect customers once the investigation is complete.

The company might address the vulnerability on this month's Patch Tuesday, it may be delayed to next month, or it may release an out-of-cycle update. Given that the issue doesn't affect the latest version, it's unlikely that Microsoft will go with the third option.

The United States Computer Emergency Readiness Team (US-CERT) also issued a security warning in regards to the flaw: "US-CERT is aware of a public report of a vulnerability affecting the Microsoft Internet Information Services (IIS) FTP service," reads a message on the organization's website. "This vulnerability may allow a remote attacker to execute arbitrary code." US-CERT recommends that administrators disable anonymous write access to the FTP server to help mitigate the vulnerability, and says it will provide additional information as it becomes available.

Update

Microsoft has now issued Security Advisory 975191 in regards to the issue. Affected software includes Windows 2000, Windows XP, and Windows Server 2003, using IIS 5.0, IIS 5.1, and IIS 6.0. Microsoft also confirmed that Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, in conjunction with IIS 7.0 and IIS 7.5, are not affected.

Here's what Microsoft is currently acknowledging:

Mitigating Factors

FTP service is not installed by default on all supported editions of Windows XP or Windows Server 2003. However, FTP service is installed by default on all supported editions of Microsoft Windows 2000 and all supported editions of Windows Small Business Server 2003.



Affected systems are not vulnerable unless untrusted FTP users are granted write access. By default, FTP users are not granted write access.



IIS 6.0 is at reduced risk because it was compiled using the /GS compiler option. This does not remove the vulnerability but does make exploitation of the vulnerability more difficult.

Workarounds

Modify NTFS file system permissions to disallow directory creation by FTP users



Do not allow FTP write access to untrusted anonymous users



Disable the FTP service

Although Microsoft says it is aware of the detailed exploit code that has been published on the Internet, the company says it is not currently aware of active attacks. We will keep you updated on how Microsoft takes action.

Update 2

The Microsoft Security Response Center has posted an update on the situation:

Today we updated Security Advisory 975191 as we are now seeing limited attacks. Additionally, a new proof of concept published allowing for Denial of Service (DoS) attacks on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service. This does not require Write access. Also, a new POC allowing DoS was disclosed this afternoon that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008. Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits. The initial vulnerability was not responsibly disclosed to Microsoft, which has led to limited, active attacks putting customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Microsoft says it is still working on a security patch. We already know that it won't be ready by this month's Patch Tuesday.