Microsoft Downplays IIS Bug Threat

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

WebDAV used much?

[TranceThrust]

Is Microsoft 'correct' in downplaying, in the sense that the particular vulnerable configuration mentioned is not used by many?

Serious question

[Ash-Fox]

Serious question, has the Apache package even had any bad vulnerabilities like this in the past ten years?

Re:Serious question

[Twillerror]

Serious answer. Apache is a modular beast and since doesn't get blaimed for modular problems like this.

There have been issues even bigger in various mods like mod_php.

Even code red was a problem with Internet printing and not really the core IIS. Maybe IIS should have blocked it and already had URLScan, but ultimately it was just passing a URL along some C++ code that blew up. MS created that .DLL so we can blame MS..but blaiming IIS itself was slightly off.

The core of both IIS and Apache have been pretty well hardened. Hence why WebDav is turned off in IIS 6. Even .ASP has to be turned on during setup.

MS puts out it's own mods essentially...where Apache would have a different team working on WebDAV. If the same "exploit" was found in mod_webdav who could we really blame. Yell at the Apache foundation...no we would professionally fix the issue. Maybe some flaimbaiters on the other side would yell..."see open source is less secure".

Softwares has bugs, some of them are security related. When open source creates them they are presented as bugs...when MS creates them it is some kind of great conspiracy to rule the world. Some guy just like you wrote this bad code and is probably feeling like crap today. Some tester let it get thru and is feeling really crappy today. A bunch of dudes in at both MS and the rest of the security community are pulling up their britches and getting it fixed...move along nothing to really see here.

Re:Serious question

Actually, if you're a big enough company you can get the same response from Microsoft. You call through their incident support line and get through to the project support lead for the product in question and they can manage putting together a hot fix. It will cost you, but it would cost you either way. I worked for a fairly small company five years ago and we got the lead developer from the Microsoft SNA division to create a custom patch for a bug that we identified on a Sunday morning at 2:00 AM. In all it cost us $200.

In the majority of cases the company is going to sit tight and wait on support through the platform company, whether that be Microsoft, Red Hat, Oracle, Dell, whatever. The number of companies that actually seek out a custom fix would be in the extreme minority as deploying such custom code into a production environment is a liability in of itself.

This is another Unicode hole

[spitzak]

It sounds like the basic cause is something attempting to translate a string into "unicode" before using it.

For some reason, normally intelligent programmers turn into complete morons when presented with UTF-8 and other Unicode encodings. They become convinced that it is somehow physically impossible to do anything to these strings without first finding all the "characters" (actually Unicode code points, which are not "characters") and will write pages and pages of elaborate and bug-prone code to do this and "count characters". This code is COMPLICATED and there is the basic fact that the mapping is often not 1:1 and even when it is different implementations vary and thus don't invert correctly. This causes bugs, nasty ones like you can see right. here.

In fact it would be trivial to just treat it as a string of bytes that happens to maybe represent some text. The ONLY time you need "characters" is when you are rendering the string into an image that humans will look at, and if you want to do semantic analysis such as grammar checking. It is not needed if you are looking for the period that starts the extension or trying to find a number.

What is really sad and mysterious is that this disease only seems to be triggered by UTF-8. Nobody worries about finding the boundaries between "words". Nobody seems to worry about UTF-16 surrogate pairs, and nobody was really concerned with older Japanese multi-byte encodings.

This is NOT Microsoft-specific so don't feel complacent. Microsoft's moronic decision to name files with UTF-16 is really bad, but witness open source Python 3.0 which has decided that all strings will have to be converted to "unicode" (acutally UTF-16 or UTF-32 depending on the platform) before anything is done to them. Python is heavily used to parse HTML and URLs and I expect a huge mess from this stupid idea.

I'm sure there will be a few responses claiming some magical property of "characters" so that you can't do anything about it. PLEASE, try some thought experiments. Try substituting "words" in your example, it will either be stupid, or you will realize that that only a tiny portion of software needs it. Go and write some code where you leave the strings in UTF-8 and maybe you will learn.