All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
A major security flaw in a Microsoft Web server could allow crackers to take complete control of e-commerce Web sites, security experts warned Tuesday.
The flaw in Microsoft's Internet Information Server 4.0 allows unauthorized remote users to gain system-level access to the server, according to Firas Bushnaq, CEO of eEye, the Internet security firm that discovered it.
"This hole is so serious it's scary," said Jim Blake, a network administrator for Irvine, a city in southern California.
"With other [Windows NT] security holes, crackers have needed to gain some level of user access before executing code on the server. This is different.... Anybody off the Web can crack IIS," he said.
More than 1.3 million Microsoft IIS servers are up and running on the Web. Nasdaq, Walt Disney, and Compaq are among the larger e-commerce operations run off the server, according to NetCraft Internet surveys.
Microsoft confirmed that the problem exists and said that it is working on a fix. Customers, however, have not been notified.
"Normally we will post the problem and the bug fix at the same time," said Microsoft spokeswoman Jennifer Todd. "We take these security issues very seriously, and the patch will be available [soon]."
The fix will be posted to Microsoft's security Web site, "probably in the next couple of days," Todd said.
The exploit is just one of a long list of security flaws affecting IIS 4.0. In May, security experts found an exploit that enabled crackers to gain read access to files held on IIS when they requested certain text files.
Last summer, an exploit known as the $DATA Bug granted any non-technical Web users access to sensitive information within the source code used in Microsoft's Active Server Page, which is used on IIS.
And in January, a similar IIS security hole was discovered, one that exposed the source code and certain system settings of files on Windows NT-based Web servers.
But the latest problem appears to be the most serious because of the level of access it reportedly allows.
"The exploit gives crackers access to any database or software residing on the Web server machine," said Bushnaq. "So they could steal credit-card information or even post counterfeit Web pages."
For instance, crackers could exploit the bug to modify stock prices at one of the many news and stock information sites running IIS.
The hole allows remote users to gain control of an IIS 4.0 server by creating what is known as a "buffer overflow" on .htr Web pages -- an IIS feature designed to enable users to remotely change their passwords.
A buffer overflow can occur when a system is fed a value much larger than expected. In the case of the bug, the Dynamic Link Library (DLL) governing the .htr file extension, called ISM.DLL, can be overloaded by running a utility that loads too many characters into the library.
Once overloaded, the DLL is disabled and the content of the overflow "bleeds" into the system.
"Normally, this would just crash the system," said Space Rogue, a member of L0pht Heavy Industries, an independent security consulting firm that last year testified before the United States Senate on government information security.
"But a good cracker can write an exploit where the data that overflows will actually be a executable program that will run as machine code," said Space Rogue. Such a move could give a cracker complete control of the target system.
The overflow executable program can be used to run a system-level program that will deliver the equivalent of a DOS command window to an attacker's PC.
To demonstrate the hole, eEye wrote a program called IIS Hack that will enable users to crack and execute code on any IIS 4.0 Web Server.
However, disabling or removing the .htr password utility will not fix the problem, according to Bushnaq. "You have got to go through a series of steps to remove the faulty [code]."
Eeye discovered the problem while beta testing a network security auditing tool.
"Remote exploits are about the most serious problems you can have with a Web server," said Space Rogue. "It gives the attacker root privileges, so the cracker not only has access to the IIS server but [to] software running on that machine."
"In many corporate sites today, this will give the cracker access to the entire network."
Eeye is a software development firm specializing in security audit tools. Chief executive Bushnaq previously founded the electronic commerce site ECompany.com.
