Millions of Websites Affected By Unpatched Flaw in Microsoft IIS 6 Web Server

A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used. From a report on PCWorld: The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003. Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.

There's nothing you can do about idiot admins

[Viol8]

Extended support finished 2 years ago yet apparently there are still many admins (I used that term advisedly) running public facing websites who think its perfectly acceptable to run this software. This is beyond moronic but short of giving them all a royal kick up the backside I can't see a solution unless the companies involved fancy paying MS $$$ for a fix just for them.

Re:There's nothing you can do about idiot admins

[bill_mcgonigle]

You'll be hard pressed to find even a Windows admin who wants to run 2003-era stuff now. But due to the high cost of Windows infrastructure , reluctant beancounters, and their lack of political savvy they have neither the manpower nor the budget to upgrade, and lack the confidence to quit over it.

Sure it's based on bad decisions from the past, but today they are paying the bill. And that cost may be having all of their private data exfiltrated.

The weak and foolish perish - same as always.

From 2003?

[MobyDisk]

independent web server surveys suggest that IIS 6.0 still powers millions of public websites

Whaa?? Who runs a public web site on a 14-year old version of the server???? That site claims 8 million of them!

No offense but

But that's what you get for choosing a MS product.
As comparison: apache moved on to apache2 but you can still run apache(1) if you choose to, no matter the OS.
Its worse enough having to upgrade your servers to a new OS every few years. Its even worse to upgrade all web and database stuff to newer and usually not backward compatible stuff.
Only idiots think 5 years is a long time. Plenty stuff out there survives a few decades. Its not the new and shiny stuff that rules the cyberspace world but more often than not the ancient rusty but oiled cogwheels.

Re:No offense but

[thegarbz]

but you can still run apache(1) if you choose to

I assume you're talking about an Apache v1.x release. That would make you just as much an idiot as those whom you are mocking. The last Apache v1.x release was 1.3.42 and has been EOL for 5 years longer than IIS 6.

And no you can't just blindly upgrade either. Apache 2 dropped support for some OSes putting you in exactly the same boat, upgrade the OS or run an unpatched leaky sieve of a web server.

Only idiots think 5 years is a long time.

For critical infrastructure only idiots would run something for decades beyond it's support life. Especially something as bloody simple and easy to upgrade as a web server.

Re:Microsoft Web Server?

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

- "It's working, why would we buy a new server?"
- "That's a business-critical application that has to run on Microsoft(tm) Windows(tm) Internet-Information-Server(tm), touch it and you're fired"
- "Just install a securiy-patch or something and stop whining"
- "what???? Windows2003 is end-of-life? Never heard of that, we need at least two years to plan a migration to Windows 2008.... oh fuck, that's also going eol next month???"

Re:Microsoft Web Server?

[phantomfive]

Nginx wasn't around when the website was created.
It doesn't matter how secure your OS is if you're running a vulnerable web server. If you open telnet on OpenBSD, you can consider yourself pwned.
Nginx has a better record that IIS, but you know, it's not perfect. Maybe you can run a proxy in front of it to defend against security vulns.

ASP.NET, C# and .NET are actually quite good.

I suppose you've never used ASP.NET or C# or .NET at any point.

Well, it turns out that they're actually quite good. Their biggest drawback, until recently, was that they were only supported on Windows.

But in terms of functionality, they're even still lightyears ahead of anything the open source community has managed to create.

ASP.NET is a sane, sensible way of building large-scale web applications and web APIs. It provides useful abstractions, but without going totally overboard like so many Java web frameworks do. You won't be drowned in design pattern hell. But it also provides more structure than most PHP frameworks provide. Yet it isn't as inflexible and opinionated as Ruby on Rails is. It's as close as anyone has gotten to a practical balance.

C# is an excellent programming language. It took the best parts of languages like Java and C++, but discarded a lot of their failures. It's a much, much, much better language than PHP or Ruby or JavaScript. It has a great blend of strictness where it's useful, but while also being extraordinarily flexible when that's needed. .NET as a runtime is fast, light and performs very well. It puts the JVM to shame, and it blows the various Ruby and JavaScript interpreters/VMs to pieces. It also includes a complete and sane standard library. The only other library I've ever seen that comes close is Python's. It's hard to go back to Java's standard library after using .NET's, just because Java's ends up looking so inconsistent and dumb so much of the time.

Microsoft does a lot wrong, but ASP.NET, C# and .NET are some things that they've done so much better than anyone else, and nobody has caught up yet. The open source communities are still dicking around with PHP, Ruby on Rails, and worst of all, Node.js, none of which are anywhere near as good as what Microsoft has created.

Now we're seeing Microsoft port these technologies to Linux and macOS, which gets rid of their main drawback: the need for Windows.

Aside from using legacy applications, it's getting to the point where technologies like Ruby on Rails, PHP and Node.js should be seen as obsolete, as the cross-platform technologies Microsoft is now providing are so much better.

Re:ASP.NET, C# and .NET are actually quite good.

[PPH]

This may be so. And I'm not going to get pulled into a discussion of how good/bad .NET and its minions are. But it raises the question of why these organizations haven't moved up to a current, supported version of Windows Server and IIS.

Re:ASP.NET, C# and .NET are actually quite good.

[DrStrangluv]

If you're thinking pre-MVC web forms, ASP.Net is a whole different animal these days, and it's just about as nice as the author claims.

Re:Microsoft Web Server?

[mandark1967]

This pretty much summed up our last CIO Meeting.

Re: Microsoft Web Server?

[cyber-vandal]

Because rewriting all your ASP.NET apps to run under nginx costs a lot for little noticeable business benefit.

Re:Use Linux

[thegarbz]

Use. Linux.

And what would that bring? Apache has the same support life as IIS.

IIS 6 and Windows 2003 came out in 2003 EOLed in 2015
Apache 2.0 and Linux 2.4.19 came out in 2003 EOLed in 2013 and 2012 respectively.

Silly take home message: You get a year longer support with MS.

Real take home message: Not using MS doesn't make you any less stupid of a system admin if you don't update your public facing software and run current in service life systems.

Re: Microsoft Web Server?

[phantomfive]

I'll put an unpatched Netware 4.12 server **directly on the internet**

That's a good idea. No one will know how to hack into it over IPX.