A newly discovered set of FTP flaws (a buffer-overflow) allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or even to crash the box. The bad guys can plant code on your FTP servers or launch a denial-of-service (DoS) attack against your IIS website. The remote-execution vulnerability, which was first described on Aug. 31, could allow an attacker to run malicious code.
According to Microsoft, the vulnerable versions (versions 5 and 6 are affected, but version 7.5 is unaffected on Vista and Windows Server 2008) of the FTP service shipped on several Windows and Windows Server OSes over the years. The company says the latest version of the FTP service, 7.5, is not vulnerable.
These attacks can use an anonymous account that has both read and write permissions, but any user with read/write can perform the attack.
Microsoft has updated security advisory 975191, but there is not yet a patch available.
There are some workarounds are available for the FTP flaws. But keep in mind that they don’t really resolve the risks.
Here’s the primary recommendations:
* Upgrade the FTP service. If you’re running Vista or Windows Server 2008, Microsoft recommends upgrading to IIS 7.5. FTP sites will still need to be migrated from the FTP service in IIS 6 to the equivalent in IIS 7.5.
* Remove anonymous users. If you’re running versions of Windows other than Vista or Windows Server 2008, you’ll need to remove your anonymous FTP users.
* Disable the FTP service. If you don’t need the FTP service in IIS, turn it off.
With older versions of Windows Server, IIS, SMTP and FTP were installed by default. If that’s the case, uninstall them entirely. Why let an unused service take up resources AND provide a security flaw?