One day after a security researcher published attack code for a flaw in the Microsoft IIS server software, Microsoft said it plans to patch the issue.
Microsoft also released a security advisory describing the problem and detailing technical workarounds that system administrators can implement while they're waiting for a patch. "We’re currently investigating the issue... and working to develop a security update," Microsoft said in a note on its website. "This update will be released once it reaches an appropriate level of quality for broad distribution."
The next set of Microsoft security patches is due on September 8, 2009. It's not clear if the company will be able to develop and test its IIS (Internet Information Services) patch in time for that update, however.
The attack code was published on Monday by Nikolaos Rangos, who said he did not notify the software company of the issue ahead of time. Rangos's attack is considered to be very reliable on IIS 5 systems and could be used to run unauthorised software on the server.
The flaw lies in the FTP (File Transfer Protocol) software used by IIS, and is considered to be a critical issue for users of the older IIS 5 product. IIS 6 users are also affected, but they are at reduced risk because of the way IIS 6 was compiled, Microsoft said in its advisory. "This does not remove the vulnerability but does make exploitation of the vulnerability more difficult."
Users who are using the more-recent IIS 7 or who are not running the FTP service are not affected, Microsoft said.
Even for IIS 5 and 6 users, there's another mitigating factor: "Affected systems are not vulnerable unless untrusted FTP users are granted write access. By default, FTP users are not granted write access," Microsoft said.
Although nobody has yet reported real-world attacks using Rangos's code, security vendor Symantec said on Tuesday that "many systems will be vulnerable across the internet and that in-the-wild attacks will occur".
Another security company, Secunia, rates the flaw 'moderately critical'.
Last May, web analytics firm Netcraft counted 2.8 million sites still using the IIS 5 software, but it's not clear how many of them would have the FTP set-up that would make them vulnerable to this attack.