The Inquirer-Home

Microsoft tells hackers how to take apart its IIS

As if they needed a hand
Wed Jun 06 2007, 11:36
MICROSOFT IS showing all comers how to hack into its Internet Information Server and is not giving any hints how to work around the problem.

The Vole says an exploit, which was discovered on December 15, 2006, and made public at the end of May, is actually a feature.

Apparently versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorised user to nick documents.

The Internet Storm Centre says that hackers have not used this exploit to take over systems to date, that could well change. Especially now we've told them about it.

The Vole has written up the problem in its Knowledge Base article 328832. Apparently, hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.

Security experts are a bit stunned at the Volish attitude. Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit. In otherwords Vole is telling the world how to exploit products being used by their customers.

The official Volish line is that all users should upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security, it says here.

And here. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?