MICROSOFT HAS NO PLANS to fix a flaw in Internet Information Services (IIS) 6.0 which could affect up to 600,000 web servers.
The zero-day vulnerability appears in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft's web server IIS 6.0. WebDAV is an extension of the HTTP protocol that allows clients to write web content remotely.
WebDAV has a method called PROPFIND which allows a user to retrieve properties of a resource. There is also a header called IF which handles the state token. By issuing an overly large IF header in a PROPFIND request, an attacker may be able to create a denial of service condition or run arbitrary code in an application, reports security vendor Trend Micro in a blog post.
The vulnerability was found by researchers Zhiniang Peng and Chen Wu of the South China University of Technology Guangzhou, China. The researchers say that it has already been exploited in the wild with incidents observed last year. It was made public on 27 March and the researchers say that "other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code".
The vulnerability was found in systems running IIS 6.0 on Windows Server 2003 R2. The extended support period for Windows Server 2003 by Microsoft ended 20 months ago, so there is no official security fix for this issue.
IIS 6.0 is still running on more than 600,000 publicly accessible servers, according to the internet-connected device search engine Shodan, and most of these are likely to be running Windows 2003.
However, the true number of these servers that are actually vulnerable is unclear. For starters, there may be many more operational servers that are unaccessible to the internet. Secondly many will not have WebDAV enabled. Researcher Iraklis Mathiopoulos found that only 10 per cent of those discovered by Shodan appears to be running WebDAV.
A patch for CVE-2017-7269 has been released by Opatch, but in the absence of an official fix, users are urged to disable WebDAV and if possible upgrade to a newer operating system. µ
'Ah - yes - we're ignoring your wishes for a reason there, leave it alone'
And, er, not much else
To serve, protect, and get incredibly hot and dusty
Symantec links attack to prolific Lazarus hacking group