A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won’t issue a patch even though up to 600,000 servers could be running the unsupported software.
The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF’ header in a PROPFIND request.
The researchers said it’s not a theoretical risk as the flaw was exploited in the wild in July or August 2016. It was disclosed to the public this week.
“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro.
He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).
The affected versions of the web server software have not been supported since 2015 – Microsoft said it was unlikely to patch the affected code.
“This issue does not affect currently supported versions,” said a Microsoft spokesperson. “We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection.”
[Source: SC Magazine]