Flaw in Microsoft’s IIS Enables Malware ExecutionSoroush Dalili, a security researcher, has found that a flaw exists in the latest version of IIS (Internet Information Services) of Microsoft, as reported by TheRegister on December 25, 2009. The researcher states that the flaw occurs in the manner of IIS' parsing colon and semicolon-implanted file names. Further, IIS could run a file having any extension in the form of an ASP (Active Server Page) or as executable extensions of other types. According to Dalili, an example of this is "malicious.asp;.jpg" which runs on a server as an .asp file, as reported by V3 on December 26, 2009. Several web-programs are so designed that they reject uploading of executable files. For example, when ASPs that usually contain the ".asp" extension add ";.jpg" or any other harmless extension to some malevolent file, it enables attackers to evade filters and possibly dupe and get a server to execute the malicious software. Dalili added that several file uploading programs defended a computer by checking merely the filename's last portion as the extension. This flaw allows an attacker to escape the defense and load certain risky executable file on the system, he explained. Indeed, Dalili presented an exemplified attack to make his argument stronger. He said that suppose a website which accepted only JPG files to serve as the avatars of users. Therefore, the users could load their avatars on the Internet-connected system. Similarly, an attacker could attempt to load "Avatar.asp;.jpg" on that system. The web program would identify the upload as a JPG file. Consequently, the file would receive the consent to be loaded on the server. However, if the attacker viewed that file, IIS would regard it as a file with an .asp extension. It would also attempt to run it as a file of the ASP Dynamic Link Library type, Dalili explained. Incidentally, the exploration of flaw continues and some disagreements have emerged about its seriousness. While Dalili assigns the flaw a "highly critical" rating, Secunia the vulnerability tracker calls it "less critical." Moreover, some reports state that the software giant Microsoft is investigating the flaw. Related article: Flaw For PayPal Website, Opportunity For Fraudsters » SPAMfighter News - 1/4/2010 |
Dear Reader
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!