Microsoft warns of new IIS flaw

Microsoft yesterday released an advisory about another flaw discovered in its IIS web server software, a buffer overrun vulnerability that could allow an attacker to gain complete control of an affected web server.

The company also warned that the Indexing Service in Windows XP beta is also affected by the same vulnerability.

The problem stems from the default installation procedure of several Internet Services Application Programming Interface [ISAPI] extensions.

Only last month a similar glitch was found in the same module, giving away command line access to the attacker.

This time a bug in idq.dll, which provides support for administrative scripts and data queries, can be exploited during a web session and give an attacker complete control of the machine.

"Exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it," said Microsoft.

"This includes changing web pages, reformatting the hard drive or adding new users to the local administrators group."

The glitch affects all versions of IIS running on NT, 2000 or beta versions of XP. Estimates suggest that as many as six million sites could be affected by the bug, an opportunity for hackers to have a field day.

"Clearly, this is a serious vulnerability, and Microsoft urges all customers to take action immediately," reads the company advisory.

"Customers who cannot install the patch can protect their systems by removing the script mappings for .idq and .ida files via the Internet Services Manager in IIS. However, it is possible for these mappings to be automatically reinstated if additional system components are added or removed", it adds.

As a safeguard, Microsoft recommends patching the server anyway.

The patch can be downloaded here.