Microsoft IIS zero-day attack alert

Microsoft IIS must be known to all. The code for Microsoft IIS zero-day attacks against some versions of FTP functions has already appeared on the Internet, and the Network Security Organization recommends corresponding countermeasures. It is unknown whether Microsoft has enough time to fix this vulnerability in the regular Microsoft Security Patch in March.

Network Security Organization US-CERTthe U. s. computer Emergency Readiness Team, United States Computer Emergency Response Team) recently issued a warning that the concept of proof code proof-of-concept code for FTP Module 0-day vulnerabilities in Microsoft IIS 5.0 and 6.0) has appeared on the network.

"We have noticed that a vulnerability has been made public, targeting FTP services in Microsoft Internet Information Service (IIS)," said US-CERT spokesman, "This vulnerability allows remote attackers to gain control of the system and execute arbitrary code."

According to reports, the attack code of this vulnerability was published on the hacker organization's Milw0rm website. Currently, it seems that this vulnerability mainly affects Microsoft IIS of the old version, it only works when the FTP function is enabled. Therefore, the US-CERT recommends that the IT administrator temporarily disable the anonymous write permission on the Microsoft iis ftp server as a risk mitigation measure ", however, they added that "appropriate impact analysis should be conducted before defense measures are taken."

The details and extent of the vulnerability are unclear. Symantec researchers did not comment immediately and are still analyzing the proof-of-concept code of the vulnerability.

Microsoft said they have begun to study published vulnerabilities and are ready to provide reasonable protection measures. "No attacks that attempt to exploit this vulnerability or have any impact on customers have been found," a Microsoft spokesman stated in an email. Microsoft said that once the vulnerability is confirmed, all possible steps will be taken to protect the customer.

Microsoft usually publishes Microsoft security bulletins on the second Tuesday of every month. The next Microsoft Security announcement will be announced on July 15, September 8. Therefore, by convention, Microsoft will release initial information for the next Tuesday Security Announcement on Thursday. So let's take a look and see if Microsoft has enough time to fix this vulnerability in regular patches in March. Our attitude towards Microsoft IIS is still on the sidelines.