Slashdot Mirror
WebDAV Buffer Overflow Attack Compromises IIS 5.0
rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.
Well, if they are going to have bugs, it is not that bad of a thing as long as they are patched promptly. Then again, many admins do have a tendancy to run unpatched machines.
It seems quite likely to me that that was an under-reported version of this incident reported on MSNBC, that permitted an intruder with apparent quite-hostile intent onto US Army sites.
I've asked this everywhere, maybe someone will answer.
... We don't run the default config. We've customized it, as have many shops. I can't find information on _which_ aspects of URLScan provide the protection - I'd like to know if our customizations have left us out in the breeze.
The MS advisory states that a 'default' URLScan will protect against this. Well
Anyone know?
Is it just me, or did anyone happen to download and extract the patch and notice that it does not seem to contain the webdav .dll but just ntdll.dll? So is it really a patch to WebDav or for something in ntdll.dll that webdav relies on?
The problem with this patch is that it wasn't found by a white hat and submitted. It was discovered by people getting hacked and calling MS asking WTF. In cases like that, 5 days isn't really that bad. In cases where an exploit, along with vulnerability code, and a description are fed to devs on a platter, open source or not, it makes the task 10x easier. When you have to figure out what is going on while under fire, and in a hurry, things get messy. That said, you can hack a lot of systems in 5 days with the right script.
-Charlie