Sister CISA CISSP

Sep 11 2009   7:35PM GMT

Paying Attention to FTP

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

A newly discovered set of FTP flaws (a buffer-overflow) allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or even to crash the box. The bad guys can plant code on your FTP servers or launch a denial-of-service (DoS) attack against your IIS website. The remote-execution vulnerability, which was first described on Aug. 31, could allow an attacker to run malicious code.

According to Microsoft, the vulnerable versions (versions 5 and 6 are affected, but version 7.5 is unaffected on Vista and Windows Server 2008) of the FTP service shipped on several Windows and Windows Server OSes over the years. The company says the latest version of the FTP service, 7.5, is not vulnerable.

These attacks can use an anonymous account that has both read and write permissions, but any user with read/write can perform the attack.

Microsoft has updated security advisory 975191, but there is not yet a patch available.

There are some workarounds are available for the FTP flaws. But keep in mind that they don’t really resolve the risks.

Here’s the primary recommendations:

* Upgrade the FTP service. If you’re running Vista or Windows Server 2008, Microsoft recommends upgrading to IIS 7.5. FTP sites will still need to be migrated from the FTP service in IIS 6 to the equivalent in IIS 7.5.

* Remove anonymous users. If you’re running versions of Windows other than Vista or Windows Server 2008, you’ll need to remove your anonymous FTP users.

* Disable the FTP service. If you don’t need the FTP service in IIS, turn it off.

With older versions of Windows Server, IIS, SMTP and FTP were installed by default. If that’s the case, uninstall them entirely. Why let an unused service take up resources AND provide a security flaw?

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: