Monday, September 21, 2009

Hackers exploit FTP flaw in Microsoft's IIS

Sites running the FTP service on Microsoft's Internet Information Services (IIS) Web software may be vulnerable to attacks.

Microsoft says FTP service versions 5 and 6 are affected, but claims version 7.5 is unaffected on Vista and Windows Server 2008.

Webmasters take note: if you use Microsoft's FTP service, attackers could plant code on your servers or launch a denial-of-service (DoS) attack against your site.According to Microsoft, a newly discovered set of FTP flaws allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or to crash the box.The vulnerable versions of the FTP service shipped on several flavors of Windows and Windows Server over the years.

Microsoft says the latest version of the FTP service, 7.5, is safe on Vista and Windows Server 2008.The remote-execution vulnerability, which was first described on the Milw0rm security site on Aug. 31, could allow an attacker to run malicious code. Modern versions of Windows have a feature called /GS (a buffer security check) that protects them from remote-code execution, but earlier versions do not.The newly announced vulnerabilities include a buffer-overflow flaw, which could lead to a DoS attack against any of the affected versions of Windows.

Buffer-overflow attacks use an anonymous account that has both read and write permissions. The threat, however, isn't limited only to anonymous users.

Microsoft has updated security advisory 975191 to discuss all the known unpatched FTP exploits in IIS.

No comments: