Denial-of-service patch misses hole Microsofts security fix fails to prevent attack By Eric J. Bowden BUGNET May 15  The fix is not in. Microsoft posted a patch to close yet another denial-of-service vulnerability in its Internet Information Server (IIS) versions 4 and 5 that could slow or even completely stop your Internet server. The hole was reported to Microsoft on April 15 by the Underground Security Systems Research (USSR) organization. But BugNet testing has revealed that the fix posted May 11 does not repair the vulnerability as originally reported by USSR.

MICROSOFT IS NOW TRYING to reproduce our results but has not issued a definitive statement on when this problem will be resolved. (Microsoft is a partner in MSNBC.)

In a day when the lifeblood of a company flows through the Internet, its no wonder businesses are so concerned about keeping their web sites online. Any attempt at intentionally disrupting the web site is viewed AS tantamount to industrial espionage. That is why Denial of Service (DoS) has become the battle cry of businesses, and protecting a web site from DoS attacks has become integral to corporations Internet strategy.

This particular vulnerability involves using a malformed data extension in a URL that will increase use of the IIS servers CPU to 100 percent, thus slowing or even eliminating IIS ability to service requests. On May 11, USSR posted an executable that would exploit this vulnerability at the same time that Microsoft posted the fix. Even though this exploit can have a devastating impact on an IIS Web server, this vulnerability does not allow a malicious user to modify data or take administrative control of the server.

It was only through testing this security hole and its fix that BugNet discovered that the patch didnt work as described. The screen capture of the Windows Task Manager below shows the effects of the exploit after the Microsoft IIS patch has been installed on an IIS 5 server running on Windows 2000. BugNet tested both IIS 4 on Windows NT and IIS 5 on Windows 2000. In both cases the patch did not protect the server from the effects of the exploiting executable. Even after installing Microsoft's patch, this IIS 5 server was still just as susceptible to the attack. We did find an unrelated Microsoft Knowledge Base article, whose instructions do protect against this specific exploit. But with the exploiting executable readily downloadable from USSRs Web site and no clear connection to the fix that does work, this puts IIS servers in a very precarious situation. Stay tuned for further updates.

http://www.msnbc.com/news/407979.asp?cp1=1#BODY

-- Martin Thompson (mthom1927@aol.com), May 16, 2000