Microsoft confirms hackers are exploiting server bug
Microsoft says it has evidence hackers are exploiting an unpatched bug in its server software, which it announced last week. The firm says a patch is on the way, but it appears unlikely to be part of this week’s Patch Tuesday update.
The bug was officially announced last week along with details of a workaround. At that stage there were no signs of hackers taking advantage. Now, perhaps inevitably, there have been “limited attacks that use this exploit code.”
The problem involves Internet Information Services (IIS), a server system used by almost a third of websites. At first it was thought only an older edition (5.0 through 6.0, distributed with Windows 2000, Server 2003 and XP) could be attacked, allowing hackers to take control of the FTP system used for file transfers.
However, a second method of exploiting the bug affects all but the very latest edition (7.5, from Windows 7 and Server 2008 R2). In these cases the attacks appear to be limited to denial of service: that is, intentionally crashing a site.
Microsoft has announced it is working on a patch to fix the problem. However, the timescale means it likely won’t be part of tomorrow’s monthly update, and it doesn’t appear to be part of the five critical issues already listed for the update.
That would mean Microsoft has to choose between waiting till next month’s update, or sending out an “out-of-cycle update”, otherwise known as an emergency patch.
The news won’t go down well with the security community as it will likely provoke charges of hypocrisy. When independent researchers discover bugs with Microsoft software, the firm strongly encourages them to keep the details quiet until a solution is ready.
In this situation it appears hackers were already aware of the problem before it came to Microsoft’s attention. But in deciding to publicize it before finding a solution, the firm may have risked effectively tipping off other hackers into trying their hand at an exploit.
Related Posts:
