Microsoft yesterday released Microsoft Security Advisory (971492) which contains information regarding a security vulnerability that affects Internet Information Service (IIS) 5.0, 5.1 and 6.0. Microsoft describes the flaw as "Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft currently does not know of any cases of this vulnerability being exploited; "We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports." They say they will continue to monitor the situation and will either post a patch on Patch Tuesday or will release an out-of-cycle security update. The good news is that according to Microsoft this flaw can only be  taken advantage of in very specific circumstances.

Mitigating Factors:

- File system ACLs are enforced. This vulnerability bypasses the IIS configuration that specifies which authentication is allowed, but not the file system-based ACL check that verifies whether a file is accessible by a given user. A successful exploit of the vulnerability would still restrict the attacker to the permissions granted to the anonymous user account on file system ACL level. Therefore this vulnerability cannot be used to exceed the level of access granted to the anonymous user account through file system ACLs. The default anonymous user account is configured as the IUSR_<computername> account.

- The anonymous user account is denied write access by default. In order to successfully exploit this vulnerability with write access, the anonymous user account would need to have write access ACLs set within the IIS folder structure. However, by default, the anonymous user account only has read access ACLs set. On IIS 6.0, there is an explicit deny ACE for the default anonymous user account. Unless overridden by the administrator, this deny ACE will be inherited by all children under the default Web site root.

- WebDAV is not enabled by default on IIS 6.0. On Windows Server 2003 systems running IIS 6.0, WebDAV is not enabled in the default configuration. Unless WebDAV has been enabled by an administrator on these systems, the vulnerability is not exposed.

Therefore the following IIS configurations are not affected:

• An IIS server not running WebDAV is safe (Windows Server 2003's IIS (version 6) shipped with WebDAV disabled by default)
• An IIS server not using IIS permissions to restrict content to authenticated users is safe.
• An IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe.
• An IIS server that hosts web applications using only forms-based authentication is probably safe.

If you are running any of these configurations then you are not exposed to the vulnerability. If your IIS configuration might be exposed to this flaw then you can follow Microsofts "Mitigating Factors" in their security buletin to help reduce your exposure until a patch is released.

While Microsoft maintains that there are no known attacks exploiting the vulnerability in the wild, security experts speculated that it was likely that there was some kind of malicious activity related to the flaw that ultimately prompted Microsoft to release a public security advisory.

"They issue an advisory when they think that something is going on out there, But it's mitigated and it's not nearly as bad as the Web server vulnerabilities of early 2000." said Eric Shultze, chief technology officer for Shavlik Technologies.