IIS and Apache flaws leave web wide open

The internet is more vulnerable to malicious attacks than at any time in its history, according to a new study by network security company Netcraft.

Security advisories from Microsoft concerning its Internet Information Server (IIS) and a flaw in the Apache web server that leaves it open to a buffer overflow, mean that over 90 per cent of the world's active, unpatched web servers are susceptible to hackers, according to Netcraft.

Microsoft released a trio of advisories on 11 June, the most serious of which was an HTR buffer overflow that could be used to remotely compromise machines running IIS.

Active Server Pages has replaced HTR but Netcraft observed that half of all IIS sites have HTR scripting enabled, leaving them vulnerable to attack.

Netcraft director Mike Prettejohn warned that any attacks making use of this flaw would be "very successful".

"If something like Code Red happens again and it exploits the HTR vulnerability, it wouldn't be unexpected," he said. "In some ways it could be a good thing because, if something happens that is so disruptive people will patch their systems and improve security."

In addition to this, a new worm has been found to exploit a vulnerability in the way Apache web servers handle 'chunked' encoding".

This could lead to a remote system compromise and exploits are already known to have been developed for Windows, FreeBSD and OpenBSD.

Within a week of the problem being publicised, six million sites running Apache have been patched. But this still leaves 14 million potentially vulnerable sites.

Prettejohn also warned that the exploit applies equally to Secure Socket Layer (SSL) sites, and that most intrusion detection systems will not notice attacks running over SSL as the traffic is encrypted.

He urged web administrators to apply patches as soon as possible and to test networks for vulnerabilities.