Microsoft to IIS 5.x Users - Die

If you use Microsoft server software, somewhere along the way you’ve decided to live with a certain level of security problems for….well, for any number of bad reasons. Security alerts on Microsoft software are so common they tend drown in to the background noise. But after I read this story, I decided this fell beneath that low ceiling to the are-you-bleeping-me category.

Here’s a summarized version.

Exploit code found for IIS 5.x (the version that comes with Windows 2000 and XP) in late 2006. This is nothing new - Windows exploits are like Tribbles. So far the exploit has been shown to gives users the ability to bypass basic authentication and access documents they have no rights to, but it could theoretically be used to take over systems. In other words, your run of the mill oh-my-god-oh-my-god Windows exploit.

After sitting on this exploit for six months (very common), Microsoft declared the exploit to be a feature rather than an exploit (also not atypical), although this feature doesn’t appear in later versions of IIS, indicating somebody on the IIS team thought having this feature go away would be a feature in itself. Then they published code showing you how to exploit the vulnerability.

Yes, you read that right. They published exploit code.

They would only do that if they had a patch available, right? Wrong. Microsoft said it has no plans on fixing the problem and instead recommends all users to upgrade to IIS 6 as soon as possible. Which in turn requires you to upgrade to Windows 2003 (server) or Vista (desktop). Which in turn probably means new hardware. Since IIS is closed-source proprietary code, you aren’t fixing it either.

As an organization that still has mission-critical Windows 2000 web servers, that’s not cool. I can understand dropping support for old products and encouraging me to upgrade. It’s quite another thing to publish unpatched exploits to speed me along the way. I think even Gandhi would trek to Redmond and give Ballmer a good wack in the shin with his walking stick for this one.

If you have decided to live with the security problems and use Windows/IIS as your web server platform, perhaps it is time to revisit that decision. If you are lucky enough to have nothing written in classic ASP or ASP.NET on your web server, I’d tack one more option onto Microsoft’s IIS upgrade solution: Apache.