Hackers Using an IIS Flaw Could Control Affected Server
According to the news published by TheRegister on August 31, 2009, Nikolaos Rangos, a computer hacker, has come across an earlier unknown security flaw that resides in Microsoft's IIS (Internet Information Services) web server. In certain instances, the use of malware enables the flaw to provide hackers full control over affected systems.
While the flaw's proof-of-concept, which was published on www.Milw0rm.com on August 31, 2009, might prove an immense trouble for certain webmasters, the attack seems feasible only on previous editions of Microsoft's software programs.
Rangos said - the vulnerability resides in the FTP (File Transfer Protocol) program used by IIS to transfer huge files on the Internet. Thus, it is inevitable for a user to have FTP turned on in order to fall victim to the hacker's assault. The Milw0rm declaration stated that a hacker by utilizing the malevolent proof-of-concept could place malicious or unauthorized software on the server.
According to the declaration, the proof-of-concept is effective only on Microsoft's long time Windows 2000 OS, while the older IIS 5.0 server runs active. Moreover, the success of the attack, according to security specialists, also requires the attacker to open a new directory on the server.
Other IIS versions are also in danger, as per independent researcher Thierry Zoller who made his statement after examining the issue, as reported by PCWorld on August 31, 2009. Zoller added that the later versions of Microsoft's OSs contained characteristics, which caused the problem to be less severe.
Besides, a Microsoft spokeswoman said that researchers at the company were studying the problem and would release a statement publicly when the task would be over, as reported by TheRegister. The spokeswoman added that so far there weren't any reports about the exploitation of the mentioned flaw.
Another flaw was revealed on August 31, 2009 that affected the Chrome browser of Google. It has been found that malicious websites could use this flaw to monitor the movements of Web surfers.
During May 2009, Rangos had revealed another critical flaw in IIS, which (if exploited) could expose protected folders and files, but Microsoft had quickly patched it.
Related article: Hackers Redirect Windows Live Search to Malicious Sites
» SPAMfighter News - 17-09-2009