Thursday, September 10, 2009

Hackers already exploiting IIS flaws

Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.

Exploit code for the first flaw was posted on Monday, allowing hackers to remotely take control of an IIS 5.0 server. New code was then posted on Thursday which takes advantage of vulnerabilities in IIS 5.0, IIS 5.1, IIS 6.0 and IIS 7.0 to allow hackers to launch denial-of-service attacks against these systems, as long as they are running the FTP Service, said Microsoft.

The company was forced to update its security advisory warning that it is now seeing "limited attacks that use this exploit code".

"Microsoft is actively monitoring this situation to keep customers informed and to provide guidance as necessary," the advisory continued.

Microsoft is due to release its September security updates on Tuesday next week, but it is widely believed that the new vulnerabilities were disclosed too recently for the Microsoft security team to deliver a working fix.

Microsoft blamed the current, albeit limited, attacks on the fact that the original vulnerabilities were published on the internet before the firm had a chance to work on a resolution.

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the firm in a blog post.

"This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

No comments: