Up to 600,000 web servers may be vulnerable to a flaw in Microsoft Internet Information Services (IIS) 6.0. Microsoft has said it does not plan to issue a patch for the zero-day buffer overflow vulnerability CVE-2017-7269.
The zero-day vulnerability appears in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft's web server IIS 6.0. WebDAV is an extension of the HTTP protocol that allows clients to write web content remotely.
WebDAV has a method called PROPFIND which allows a user to retrieve properties of a resource. There is also a header called IF which handles the state token. By issuing an overly large IF header in a PROPFIND request, an attacker may be able to create a denial of service condition or run arbitrary code in an application, reports security vendor Trend Micro in a blog post.
The vulnerability was found by researchers Zhiniang Peng and Chen Wu of the South China University of Technology Guangzhou, China. The researchers say that it has already been exploited in the wild with incidents observed last year. It was made public on March 27th and the researchers say that "other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code".
The vulnerability was found in systems running IIS 6.0 on Windows Server 2003 R2. The extended support period for Windows Server 2003 by Microsoft ended 20 months ago, so there is no official security fix for this issue.
IIS 6.0 is still running on more than 600,000 publicly accessible servers, according to the internet-connected device search engine Shodan, and most of these are likely to be running Windows 2003.
However, the true number of these servers that are actually vulnerable is unclear. For a start there may be many more operational servers that are unaccessible to the internet. Secondly many will not have WebDAV enabled. Researcher Iraklis Mathiopoulos found that only 10 per cent of those discovered by Shodan appear to be running WebDAV.
A patch for CVE-2017-7269 has been released by Opatch, but in the absence of an official fix, users are urged to disable WebDAV and if possible upgrade to a newer operating system.
Not all loose ends tied yet, admits Bain backer SK Hynix
It's Stack Overflow's second calculator, and first for external devs
Theresa May always the keenest cabinet voice in favour of draconian online censorship, surveillance and controls
No need to waste time on Google launch planned for 4 October