Educause Security Discussion mailing list archives
Microsoft IIS security update ms08-006 looks critical to me
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 12 Feb 2008 16:22:37 -0500
This probably isn't a big deal if "classic ASP" isn't enabled on very many IIS sites but if it is, this update deserves a 'critical' rating. Just to set the record straight, Microsoft's definition of a critical update is: " A vulnerability whose exploitation could allow the propagation of an Internet worm without user action." http://www.microsoft.com/technet/security/bulletin/rating.mspx Lets see, " This is a remote code execution vulnerability." " An attacker who successfully exploited this vulnerability could then perform actions on the IIS Server with the same rights as the Worker Process Identity (WPI), which is configured with Network Service account privileges by default. Services configured with Network Service account privileges obtain authenticated user level access, not administrative level access." http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx so a human attacker or automated code can connect to an IIS server and exploit it to provide an unauthorized user account which can run a program using standard network calls available to any user that can connect to an IIS server and exploit it to provide an unauthorized user account which can run a program using standard network calls available to any user that can connect to an IIS server and exploit it to provide an unauthorized user account which can run a program using standard network calls available to any user that can connect to an IIS server and exploit it to provide an unauthorized user account which can run a program using standard network calls available to any user that can... Sounds wormable to me. Perhaps the rating system needs to be reviewed anyway to take into account other factors. I don't know about you but having an unauthorized user with authenticated user privileges on an enterprise product like IIS sounds pretty critical to me even if they don't have administrator access. 1) They'll have access to the local network, possibly behind a firewall with the opportunity to connect to adjacent systems possibly including: a) back-end application or database server. b) backup system 2) They may be able to sniff the network depending upon what is already installed on the system. 3) They will be able to download more code and data. 4) It provides the opportunity to exploit elevation of privilege defects and vulnerabilities ( there is even an update for one released in the same batch - MS08-005 ) 5) They'll have read access to a large part of the server. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Microsoft IIS security update ms08-006 looks critical to me Gary Flynn (Feb 12)
- <Possible follow-ups>
- Re: Microsoft IIS security update ms08-006 looks critical to me David Shettler (Feb 12)
- Re: Microsoft IIS security update ms08-006 looks critical to me Basgen, Brian (Feb 14)
- Re: Microsoft IIS security update ms08-006 looks critical to me Basgen, Brian (Feb 14)
- Re: Microsoft IIS security update ms08-006 looks critical to me Curt Wilson (Feb 14)
- Re: Microsoft IIS security update ms08-006 looks critical to me Gary Flynn (Feb 15)