Smokey's Security Weblog

veritas odium parit

[UPDATED] Microsoft IIS 0-Day Vulnerability in Parsing Files Reported

TheRegister | 25th December 2009

A researcher has identified a vulnerability in the most recent version of Microsoft’s Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension “.asp.” By appending “;.jpg” or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it “highly critical,” vulnerability tracker Secunia classified it as “less critical,” which is only the second notch on its five-tier severity rating scale.

“Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as ‘.asp,’ ‘.cer,’ ‘.asa’ and so on,” Dalili wrote. “Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”

Opinion Sans | 25th December 2009

After reading up on related posts and IIS issues, the nature of the vulnerability is such that it’s going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts.

Update 2009-12-28: Microsoft response

MSRC TEAM | Sunday, December 27

On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this.

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities as we believe reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I want to close by providing some resources and best practices for securely configuring IIS servers:

IIS 6.0 Security Best Practices

Securing Sites with Web Site Permissions

IIS 6.0 Operations Guide

Improving Web Application Security: Threats and Countermeasures

*This posting is provided “AS IS” with no warranties, and confers no rights*

Update 2009-12-29: Microsoft denial

MSRC TEAM | Tuesday, December 29

We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.

What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.

However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable.

The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog.

*This posting is provided “AS IS” with no warranties, and confers no rights*

Take care and remain alert!

December 27, 2009 Posted by | Advisories, Alerts, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , | Leave a comment

AV-Comparatives Award Best Anti-Virus Product of 2009: Symantec/Norton

The well-known and trustworthy anti-virus test organisation ‘AV-Comparatives’ have announced the winner of the Year 2009: Symantec.
AV-Comparatives is an Austrian Non-Profit-Organization, which is providing independent Anti-Virus software tests free to the public.

The “Product of the Year” Award is given based on all tests done by AV-Comparatives in a particular year, e.g. malware removal test, dynamic test, PUP test, etc., so the yearly Award is an acknowledgement of the anti-virus product with the best overall test results in that year.

Like said, the Winner of 2009 is Symantec. A well-deserved Winner, after all we remember very well the severe struggles with Symantec/Norton anti-virus products in the past, what finally resulted in bloatware products that couldn’t be handled anymore, they were totally out of control and had also huge negative impact on system resources.

Symantec/Norton finally decided to entirely revamp their ant-virus products, we noticed the enormous positive progress in development of their 2009 line products, and the final touch was performed in the 2010 line: Norton AntiVirus 2010, Norton Internet Security 2010 and Norton 360 Version 3.0

I am really pleased that all efforts of Symantec/Norton to improve their products are finally rewarded with AV-Comparatives “Product of the Year 2009 Award”. Well done and really deserved Symantec!

December 26, 2009 Posted by | Advisories, Anti-Spyware, Downloads, Malware, Norton Internet Security, Recommended External Security Related Links | , , , , , , , , , , , , | 1 Comment

Trend Micro is Smokey’s Security Weblog 2009/2011 Hall of Shame Awardee

Like I explained in the introduction of the Smokey’s Security Weblog Hall of Shame, sole purpose of this Hall is to improve users experiences and interests concerning all security related issues. Experiences that are many times not satisfying and even really disappointing: users are treated in a way that isn’t acceptable, e.g. by (government) instances and institutions, security vendors, aso aso.

This time I had to Award a well-known security vendor: Trend Micro. They prefer to ignore warnings and to correct incorrect behavior. ‘File Trend Micro’ regard a childish loser with condemnable attitude.

Let’s summarize the facts about Trend Micro and the reason to provide them the honor to be added to Smokey’s Security Weblog Hall of Shame: one week ago I blogged about Trend Micro, not just a security company but also the developers of ‘HJT – HijackThis’, a free log analyzing/report tool used by malware fighters to clean infected systems from malicious content. Because HJT missed the malware combat train, more and more security websites (my site Smokey’s Security Forums included) and malware hunters/fighters decided to ditch HJT in favor of OTL (formerly OTListIt2) Log Analysis Tool by OldTimer, a highly sophisticated, always up-to-date application regarding combating (new) malware threats.

Irresponsible, childish and condemnable reaction of Trend Micro: flagging ‘G2G – GeeksToGo!’, home of OTL and OldTimer, as a bad site, and also blocking OTL from running.

Like I wrote one week ago: Trend Micro, I am done with your company and your products. You aren’t trustworthy. You are childish and bad. Again, don’t try to explain it are all mistakes, it are determined actions to destroy the competition. I warned you to correct your wrong behavior, regrettably you decided to ignore my warning.

For reasons mentioned above it’s a great pleasure to add Trend Micro to Smokey’s Security Weblog Hall of Shame, you really deserved this honor!


December 19, 2009 Posted by | Anti-Spyware, Anti-Virus, Bundleware, Downloads, Malware, News, Phishing, Recommended External Security Related Links | , , , , , , | 1 Comment

Trend Micro is a bad and a childish loser

To me it’s amazing that a well-respected security company like Trend Micro act in such an infantile and, more important, irresponsible way on what’s going on in malware combating land.

Trend Micro is not just a security company, they are also the developers of ‘HJT – HijackThis’, a free log analyzing/report tool used by malware fighters, to clean infected systems from malicious content. Regrettably Trend Micro missed the malware combat train, since considerable time HJT didn’t evolve in a desired way: malware evolve incredibly fast, HijackThis have no answer on it.

No need to say that malware fighters searched for- and found a new log analyzing tool: OTL (formerly OTListIt2) by Oldtimer. Highly sophisticated, always up-to-date regarding new malware threats, and also great support by the developer, Oldtimer.

Unavoidable consequence: more and more malware fighters and sites they are working for ditch HijackThis in favor of OTL, my own board Smokey’s Security Forums included: HijackThis logs aren’t accepted anymore, instead we demand an OTL log from the customer searching for help to clean his/her system.

HijackThis lose ground very fast, OTL is the rising star. And this is something that isn’t appreciated by the Trend Micro folks at all: they flag ‘G2G – GeeksToGo!’ as a bad site, they also try to block OTL from running. Everybody knows that G2G is a well respected and acknowledged security site, same is valid for the program OTL: a great malware fighting/cleaning tool, acknowledged by the entire security community.

Now you will ask: what is the relationship between G2G and OTL? The answer is simple: G2G is the ‘home’ of the program OTL… Unbelievable that Trend Micro perform such condemnable actions. They lose a battle for reason of own mistakes -insufficient development of their tool HijackThis- and have the rudeness to react in such a childish way.

Trend Micro, I am done with your company and your products. You aren’t trustworthy. You are childish and bad. Don’t try to explain it are all mistakes, it are determined actions to destroy the competition.

I can tell you this too: I consider to add you to Smokey’s Security Weblog Hall of Shame. If you don’t solve the issues mentioned by me fast, your Hall Award will be fact. With fast I mean: within now and 3 days.

December 13, 2009 Posted by | Anti-Spyware, Anti-Virus, Malware, Phishing, Recommended External Security Related Links | , , , , , , , | 4 Comments

Smokey’s Seasonal Competition 2009 will run from Mon 14th Dec. until Monday 21st Dec.

Competition time!!!

The 2009 Smokey’s Security Forums Seasonal Competition will run from Mon 14th Dec. until Monday 21st Dec. This particular Competition is dedicated to a security related organisation, more when the Competition is open to the member of Smokey’s Security Forums. Keep in mind that only members subscribed to the board Newsletter are eligible to join the Competition.

Like in the previous Competitions, there are valuable software licenses to win. We found again several (respectable/well-known) vendors prepared to provide licenses for free, all staff Smokey’s would like to give a personal thank to these vendors. Vendors that are interested to provide our Competition with free licenses are invited to contact me via ‘competition2009 at smokey-services dot eu’

This years competition will be slightly different to last years competition.
Last year we had a lot of individual winners, this year we are only having a few winners….(how many is a secret!) but those winners will receive a ‘Lucky bag’ of licenses. This means that you won’t only win one license this year…. it could be 2, 3 or more.

The rules

* The competition is open to all non staff members at Smokey’s.
* Only members of the ‘Newsletter Subscribers’ group are eligible to take part.
* All board guests are invited to join the competition by registering for free as board member Smokey’s (but must also subscribe to the ‘Newsletter’ group).
* Will run from Mon 14th December until Monday 21st December.
* Because of time differences around the world… GMT will be used.
* A list of all winners will be published on Tuesday 22nd December.
* Winning licenses will be given at random.
* Winners will not be able to choose their licenses.
* Members can only submit one entry, any extra entries will be void
* If in the event of any complaints, the normal board TOS and complaints procedure will be used.

See ya on Smokey’s! 🙂


December 12, 2009 Posted by | Alerts, Anti-Spyware, Anti-Virus, Recommended External Security Related Links | , , , , , , | Leave a comment

Get Top-rated DefenseWall HIPS for Free on Dec 10-12, 2009

From Gizmo: “SoftSphere, the makers of the highly regarded DefenseWall HIPS are offering a free copy of DefenseWall exclusively to Gizmo’s Freeware readers. The offer will be available for a three day period starting from 2.00 PM Pacific Standard Time, Thursday 10 December and ending at 2.00 PM Sunday 12 December.”

This is a great offer! DefenseWall HIPS is a top-notch security product, the program was reviewed by AV Comparatives in May 2009. In their tests it provided a 100% protection score against their sample set of malware. Grab your free copy of DW HIPS now!

System requirements: Windows 7 32 bit as well as Windows 2000, XP, 2003 and Vista 32-bit.

Full info about the offer: Gizmo

December 11, 2009 Posted by | Advisories, Alerts, Anti-Virus, Downloads, Malware, Phishing, Recommended External Security Related Links, Vulnerabilities | , , , , | Leave a comment

Part 2: Malware is evolving, HijackThis not – OTL Log/Report Tool as replacement

Like I wrote a couple of months ago, malware is evolving at a very fast rate, sadly HijackThis isn’t evolving so quickly. In OTL (formerly OTListIt2) by Oldtimer my board Smokey’s Security Forums found an excellent replacement for HijackThis, from now on my board will only accept OTL logs. Again, OTL will serve our members looking for malware removal help in an optimal way, and it will accomplish at the same time our high board demands and standards.

Like before, if you think your PC is infected or if you want to be sure your PC is clean, feel free to post your OTL log here: OTL (formerly OTListIt2) Log Analysis and Malware Hunting, Removal & Cleaning (English language) or Hilfe bei Problemen mit Viren, Trojanern, Würmern, Spyware, Adware, Ransomware, Popups und sonstigen Schädlingen (German – Deutsch language).
Please keep in mind, that (malware removal) help will only be offered to registered board members. Of course board registration and all help is free. You are invited to register here.

Safe computing! 🙂

On behalf of Starbuck, OTL Team Leader Smokey’s Security Forums,


Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help

December 11, 2009 Posted by | Advisories, Anti-Spyware, Anti-Virus, Bundleware, Phishing, Recommended External Security Related Links, Vulnerabilities | , , , , , | Leave a comment