X

Program may exploit Microsoft server hole

A Japanese hacker has posted a program that could exploit a hole in Microsoft Web server software, giving attackers complete control of vulnerable servers.

CNET News staff
See full bio
CNET News staff
2 min read
A Japanese hacker has surreptitiously posted a program that could exploit a recently discovered hole in Microsoft Web server software, giving remote attackers complete control of vulnerable servers.

The hacking script--which went unnoticed for some time--was posted last week on the GeoCities home page of a Japanese hacker who uses the nickname "HighSpeed Junkie." The code, programmed on June 21, could potentially exploit a flaw in Microsoft's Internet Information Server (IIS). As first reported by CNET News.com, an IIS component doesn't check for buffer overruns, a common software problem, potentially enabling a hacker to gain full, system-level control of a server.

"It is a very serious vulnerability--it's important to install the relevant patches as there are scumbags out there who will write programs to exploit these vulnerabilities," said Graham Cluley, senior technical consultant at antivirus software maker Sophos.

An anonymous third party also posted a link to the exploit code on the Windows security mailing list Win2KSecAdvice last Wednesday. It claimed that the source program is already listed in the file archives of at least one underground hacking site.

The author insists that the existence of this code proves that efforts by software makers and governments to prevent the release of such programs are futile. "All those opposed to full disclosure, be damned," he argues.

Microsoft alerted the 6 million IIS users to the problem on June 18, urging them to install a new patch. The report warned the vulnerability "would give the attacker the ability to take any desired action on the server, including changing Web pages, reformatting the hard drive or adding new users to the local administrators group."

Hackers had been cautious in exploiting the hole, initially keeping malicious code to themselves.

Cluley argues that companies only have themselves to blame for not installing patches as soon as they are released. "There is a lackadaisical attitude amongst companies towards patches," he said. "It is easy to sign up to the alerts about them, so everyone should have applied the patches to this vulnerability by now."

Microsoft was not immediately available for comment.

Staff writer Wendy McAuliffe reported from London.