Microsoft Briefs BetaNews on IIS Bug
In light of the IIS 5 ISAPI Extension bug, a Microsoft spokesperson contacted BetaNews with a detailed briefing of the company's response. The flaw, which affects only customers running IIS5, is considered to be a serious threat since the software's default configuration leaves users open to attack. Microsoft has utilized many avenues to inform customers of the importance of applying the security patch. The release of the second Service Pack for Windows 2000 has also been delayed in order to incorporate this latest fix.
By sending a unique string of characters to an IIS 5 machine with Internet Printing enabled, a malicious user can gain full access to a Web server. The printing service module is installed by default. Microsoft informed BetaNews, "IIS 5.0 customers are not at risk if they have removed the Internet Printing capability from their servers. The IIS 5.0 security checklist recommends that this be done, and the security template provided in the checklist removes it. Likewise, the IIS 5.0 Lockdown Tool removes the capability unless the user explicitly chooses to retain it."
This morning, over 130,000 subscribers to the Redmond giant's popular security e-mail list received bulletin MS01-023, detailing the flaw. The Microsoft security site was also accessible, and according to the spokesperson is "one of the most frequently visited sites on the Microsoft network." The spokesperson continued, "Microsoft’s worldwide Technical Account Managers (TAMs) and Application Development Consultants (ADCs) have been mobilized to personally alert Premier customers to this vulnerability and assist them in installing the patch." In a multi-tiered effort, Microsoft plans on having the media, analysts, and the security community spread the word – sparing no effort to maximize communication. Microsoft claims that an effective response will neutralize the broad threat that this vulnerability represents.