All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Microsoft has a work-around to secure Windows NT Web servers from the latest security hole and is working on a more permanent patch.
The security flaw, first reported Tuesday, could allow crackers to take complete control of e-commerce Web sites. Firas Bushnaq, CEO of eEye, the Internet security firm that discovered the hole, warned that unauthorized remote users could gain system-level access to the server.
The Microsoft "workaround" recommends system administrators remove the script-mapping capability for .htr files -- a fix that some find unsuitable because it also disables users from changing their passwords remotely.
Microsoft is currently testing a software patch and will post it "imminently," according to Scott Culp, security product manager for Windows NT Server.
"Developing the patch is not the hard part," he said. "The hard part is providing one that will work on all platforms with all applications."
The security hole lies with a faulty dynamic link library (DLL) file that allows crackers to create what is known as a "buffer overflow" that "bleeds" into the system, allowing access to other files.
A buffer overflow can occur when a system is fed a value much larger than expected. In the case of this bug, the DLL governing the .htr file extension, called ISM.DLL, can be overloaded by running a utility that loads too many characters into the library.
Microsoft has labeled eEye "irresponsible" for publicizing the security hole before the software patch was released and for posting on its site a program called IIS Hack that exploits the hole.
"Responsible companies do not publicize the security holes before a patch is available and do not publish hacking software," said Culp.
Eeye has also published its own work-around that will enable system administrators to secure IIS servers without disabling the password utility.
"Why are they making us out to be the bad guys?" said Marc Maiffret, a programmer and security consultant with eEye. "We discovered the problem and notified them on the 8th of June."
