While Microsoft officials are taking credit for finding and fixing the bugs in IIS, a small consulting firm called Midwestern Commerce claimed it that discovered the problems in the Web server, publishing its findings online last Wednesday, the same day Microsoft posted its Service Pack 3 for IIS.
MWC officials say they found four bugs that, exploited in tandem, could have allowed a good hacker both to read files stored on the Windows NT-based Internet Information Server and to upload and execute programs such as a virus. Last week, the company posted a detailed technical description of the problems on its Web site.
"In general, [the bugs] allow you to void NT security," said Andy Pozo, Midwestern Commerce director of sales. He said the latest security problems apply in theory to other NT Web servers, such as Netscape Communications' Commerce and Communications Server, but the threat is negligible because those products are less deeply integrated with NT than Internet Information Server.
This is the second time that the software giant has posted patches for similar problems in recent weeks. In June, Microsoft posted a fix for a comparable bug that would allow unauthorized users to retrieve files from IIS and execute commands on the server.
Microsoft disputes MWC's characterization of the severity of the new bugs, arguing that properly configured Web servers would be immune to them and that it's not possible to upload an executable file to its server anyway. The company did, however, immediately post a software update for the server, called Service Pack 3. The bug fixes were posted just before the July 4 holiday and not widely publicized.
"In the worse case, someone could perhaps read a file that they weren't supposed to or potentially execute a script on a system that they weren't supposed to," said Brian Moran, product manager at Microsoft. "[But] IIS doesn't have the facility for someone to upload a file."
MWC agrees but explained that if an FTP server is connected to the Web server, it would be possible to upload files as the company describes.
Microsoft officials contested MWC's claim that they discovered the new bugs, saying that its software fix has been in the works for weeks. At least one expert knew about the security problems before the MWC report and chided Microsoft for not responding more quickly with a fix.
"The problem is these things have been known for a long time," said David Strom, president of consultancy David Strom Incorporated and operator of a site that compares Web servers. "When somebody finds out about this, how quickly does it percolate up the Microsoft support structure?"