Microsoft Security Advisory 975191 Revised

Published: 2009-09-08
Last Updated: 2011-02-08 23:52:14 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

We wrote about the new IIS FTP service vulnerabilities when the exploit code became public in diary 7039 and when Microsoft published their advisory some time afterwards in diary 7063. Not surprisingly Microsoft have revised their security advisory letting us know that there have been reports of incidents where this exploit was used to compromise systems. This might seem counter intuitive as the exploit code was public prior to the advisory coming out. It is more likely that there were few reports, however the exploit was being actively used. There are not all that many IIS servers running FTP on the Internet, in fact there are fewer public FTP servers than in the past. Where this exploit may have been used is attacking internal FTP servers. 

Microsoft have also reminded admins that version 7.5 of their FTP service is available for download (although only for Windows Server 2008), and is not vulnerable to these attacks. Hopefully a patch will be out shortly.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

1 comment(s)

Comments

I would like to suggest a good workaround to avoid multiple bruteforce attacks on IIS.

Just download http://winfail2ban.sourceforge.net/ a FREE porting of Linux Fail2Ban that block IP address that attempt to brute force your FTP

Diary Archives