Just hours after confirming a vulnerability in Internet Explorer, Microsoft has another problem on their hands. Late Wednesday, Microsoft confirmed that they are investigating a Denial-of-Service (DoS) vulnerability that resides in the FTP component of IIS.
In an email to The Tech Herald, Dave Forstrom, the Director of Trustworthy Computing at Microsoft, said that they are investigating the vulnerability and they’re “unaware of any attacks trying to use the claimed vulnerability or of customer impact.”
“Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-band update or additional guidance to help customers protect themselves.”
Proof-of-Concept code on Exploit Database, submitted by Matthew Bergin, can be used to trigger this issue. The PoC itself was tested on a fully patched instance of IIS 7.5 for Windows 7 Professional.
Reports of this new Microsoft Zero Day started on Wednesday when US-CERT posted a vulnerability note on the topic. The note reports that IIS FTP Server 7.5 is vulnerable not only to a Denial-of-Service, but remote code execution, which would make it a serious problem if not for a few large mitigating factors.
In a blog post, Microsoft explained that IIS FTP Server 7.5 can be exploited if an attacker causes the FTP server to attempt to encode Telnet IAC (Interpret As Command) characters in the FTP response.
However, after some testing, Microsoft listed the issue as DoS only and said that remote code execution is unlikely.
“Our second discovery is that this vulnerability only affects IIS FTP Service and leaves the IIS Web Services completely unaffected. Hence a Denial of Service on the FTP service will not affect any of the web services hosted by IIS but only the FTP service,” the SRD blog noted.
“Third and finally, the IIS FTP Service is not installed by default, and even after installation, it is not enabled by default.”
As mentioned, this latest investigation by Microsoft comes just a few short hours after they confirmed a vulnerability that impacts all versions of Internet Explorer. Microsoft issued a security advisory because of it, and said in a statement that they are not aware of any attacks leveraging the vulnerability.
“However, given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack our customers may increase. As such, customers using Windows Vista and later versions of Windows are strongly encouraged…”
More details on the Internet Explorer investigation are here.
In the mean time, while Secunia is listing the IIS FTP Server vulnerability as critical, the fact that the service isn’t installed or enabled by default, will create a buffer for many organizations.