All the latest UK technology news, reviews and analysis
|
|
|
18 Oct 2000
Microsoft has fixed a major vulnerability in its Internet Information Server (IIS) that could allow a malicious user to sabotage a victim's server via a web browser.
In a security alert issued late last night Microsoft warned: "This is a serious vulnerability, and Microsoft recommends that all customers using its IIS 4.0 or 5.0 take action immediately to protect their systems." Microsoft took just two hours to fix the flaw, first reported on the Bugtraq security mailing list.
Further reading
The problem will be a concern for thousands of website operators. According to Netcraft, which conducts monthly surveys into web server use, 19 per cent of the 4.1 million companies it questioned use IIS.
Microsoft said the flaw would enable a malicious user to execute code of their choice on a vulnerable web server. The type of code that could be run would be limited by the specific server configuration, but in most cases it would be possible for the malicious user to execute any code that an authenticated user could run.
"This would give him the ability to install and run code, add, change or delete files or web pages, or take other actions," said Microsoft.
According to the software giant, attackers could execute virtually any operating system command, and this would enable them to cause a wide range of damage. They could, for example, create new files on the server, delete ones that are already there, or reformat the entire hard drive.
"This isn't the worst he [a malicious user] could do," said Microsoft. "He wouldn't be limited to misusing code that already exists on the server. Access to the operating system commands would give him the vulnerability to upload code of his choice to the machine and execute it."
Paul Rogers, network security analyst at security consultancy MIS, said he is impressed with the speed in which Microsoft has responded to the problem. "They have realised the serious nature of the issue and come up with a fix. The only issue now is communicating this to their customers," he said.
"This highlights the many serious security vulnerabilities of IIS."
For more information, visit: http://www.microsoft.com/technet/security/bulletin/fq00-078.asp
Latest stories from Security
Related videos
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
APPLICANTS MUST BE A EU CITIZEN OR HAVE PERMANENT RESIDENCY...
C# Software Developer/Programmer/engineer; C#, Winforms...
Linux Administrator / Senior Linux Administrator / Debian...
C#, WPF, Silverlight, UI Development, Software Engineers...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?