Up to 600,000 web servers may be vulnerable to a flaw in Microsoft Internet Information Services (IIS) 6.0. Microsoft has said it does not plan to issue a patch for the zero-day buffer overflow vulnerability CVE-2017-7269.
The zero-day vulnerability appears in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft's web server IIS 6.0. WebDAV is an extension of the HTTP protocol that allows clients to write web content remotely.
WebDAV has a method called PROPFIND which allows a user to retrieve properties of a resource. There is also a header called IF which handles the state token. By issuing an overly large IF header in a PROPFIND request, an attacker may be able to create a denial of service condition or run arbitrary code in an application, reports security vendor Trend Micro in a blog post.
The vulnerability was found by researchers Zhiniang Peng and Chen Wu of the South China University of Technology Guangzhou, China. The researchers say that it has already been exploited in the wild with incidents observed last year. It was made public on March 27th and the researchers say that "other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code".
The vulnerability was found in systems running IIS 6.0 on Windows Server 2003 R2. The extended support period for Windows Server 2003 by Microsoft ended 20 months ago, so there is no official security fix for this issue.
IIS 6.0 is still running on more than 600,000 publicly accessible servers, according to the internet-connected device search engine Shodan, and most of these are likely to be running Windows 2003.
However, the true number of these servers that are actually vulnerable is unclear. For a start there may be many more operational servers that are unaccessible to the internet. Secondly many will not have WebDAV enabled. Researcher Iraklis Mathiopoulos found that only 10 per cent of those discovered by Shodan appear to be running WebDAV.
A patch for CVE-2017-7269 has been released by Opatch, but in the absence of an official fix, users are urged to disable WebDAV and if possible upgrade to a newer operating system.
RTX 280 Ti will come with 11GB of fast GDDR6 video RAM with a 352-bit memory bus offering 616Gbps
The scale of jobs lost to automation will be at least as large as those in the first three industrial revolutions
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC