Microsoft has dismissed reports that there's an unpatched critical flaw in the latest version of its webserver software. The software giant accepts there is an "inconsistency" in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly …
Critical? Only of the 'tards that believe this crap
Awww gosh darn it I'm agreeing with MS :/ It's a bug, it's exploitable in specific circumstances and as such demands attention, but "critical"?! Jesus...
"even in default configurations"
I like how in MS-world default configurations are presumed to be insecure.
This an annoying new habit from Microsoft. No matter what bug report comes out, they just ignore it and claim it's not a bug.
Somebody please remind them, security > reputation!!!
MS: "Never mind the faulty seatbelts, you still have an airbag"
MS' point that the permissions would have to be misconfigured is the perfect political answer; factually true, but disingenuous and avoiding the main point.
There are two security mechanisms by which you (as a webmaster) prevent random strangers uploading and executing random content on your website. One is by controlling what they can upload; the other is by controlling what can be done with that content once it's been uploaded, by configuring permissions and privileges.
This is a good design, because it is redundant and hence fail-safe; if something goes wrong with either of these mechanisms, the other one will still protect you. So when MS point out that you would have to have your perms wrong before uploading uncontrolled content could cause harm, it's equally valid to turn it around and point out that you would have to have something wrong with the content-upload control mechanism before having your perms misconfigured could cause harm.
Many, many, many security exploits follow the pattern of leveraging one minor vulnerability in order to take advantage of another. How many local privilege escalation exploits have been dismissed with the fallacious "But you'd already have to have an account on the box anyway" argument, only to prove their worth as attackers break out of sandboxed, jailed or limited-user web server user accounts?
The seatbelts/airbags analogy is apt here: if you ever need /either/, you're probably already in a lot of trouble and you really, really want *both*. So it matters *a lot* if one is already not there when you set out at the start of your drive...
The analogy is closer to the airbag not working (content upload filtering) but you chosing to also not use your seatbelts. (by setting security permissions to allow upload and execute).
There are three security measures as a webmaster you can implement on the local server to prevent security issues:
1. Least User Access (e.g. run as anon and elevate using impersonation, or only particular directories run as an acual user)
2. Set correct permissions. They are fine out of the box, but if you do anything not quite standard or normal then set them properly
3. If you run it, you trust it - KNOW your application. If it's so poorly built it's designed to blindly execute any file placed in a directory regardless of filename, extention or header then what do you expect?
4. Can add in content filtering, but it's an additional layer. The best methods are the three above.
Yeah, there's a workaround for a security measure - but if your relying on just that then your box will be pwned shortly - if it hasn't already. It's such a minor 'security' feature - it's nearly an end-user feature to tell them they uploaded the wrong file type rather than to prevent these problems from happening...!!
Bad administration isn't the fault of the developer - it's the fault of the administrator.
Holy shit! If my webserver is insecure and vulnerable, there's a bug that will make it insecure and vulnerable. Stop the presses! This is the exact same sort of issue as the SQL Server slammer "worm" which required a blank administrator password in order to propagate...
re: AC @ 16:17
I don’t think that MS is being disingenuous, and I think that it is you that are missing the point.
In order for this bug to be exploited, a wannabe-webmaster must create a folder, give web users read, write, and EXECUTE permissions, create an upload facility (MS doesn’t provide one), allow web users to upload files into that folder, AND give the web user the ability to name the file that goes into the folder.
None of these are default conditions, each of them must be explicitly set by a developer or server administrator.
The reality is that if a web admin creates that set of conditions, they are just asking for their server to be compromised, and it doesn’t matter what operating system or web server is used.
If the same thing is done on Linux, where a webmaster gives 777 rights to a folder, then creates a php app that allows users to upload files into that folder, then they are in the same situation.
If this is a seatbelt/airbag analogy, then the analogy is that the web admin has removed the doors and airbag, disconnected the brakes, and turned a teenager loose with the car in a demolition derby with only the seatbelt to protect them.
No analogy works
particularly, seat belts and airbags. These are not optional, at least in modern cars, they are fitted by default, and in fact seatbelts are a legal requirement to be worn on any journey. The wearing of seatbelts is the default setting if you like. You have the choice to not wear selts, but in doing so break the law, and take on the risk of any accident or injury to yourself, by violating your insurance if you so choose to, and maybe any legal reprecussions, especially if the accident is deemed to be your fault.
Perhaps, this is more a case of web masters, not knowing their ar++s from their elbows when it comes to securing either their sites, or providing a safe enviroment in which to surf.
It's still a failure in parsing the input and the output
One of which *should* fail.
the $64m question *is* it critical depends on how many popular websites have these issues. The correct answer should be *none* of htem.
The real answer is.....
Don't get this at all
You mean some web sites out there just let people fire any old crap at them in a URL and pass it straight to their server to execute? No validation?
This is 2009 going on 2010 yes?
This issue is with IIS6 which shipped with Windows Server 2003, since then we've had IIS7 (Windows Server 2008) & IIS 7.5 (Windows Server 2008 R2) neither of which seem to be affected by this issue.
As IIS6 is nearly 7 years old and has had 2 subsequent releases I don't think you can call it the "latest version"! I would however guess it's the most deployed version of IIS.