Hours after confirming a vulnerability in Internet Explorer, Microsoft found itself in more hot water. It is now investigating a Denial-of-Service (DoS) vulnerability found in the FTP component of IIS.
Dave Forstrom, the Director of Trustworthy Computing at Microsoft, confirmed the investigations in an email to The Tech Herald.
“Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-band update or additional guidance to help customers protect themselves,” he wrote.
Late last night Microsoft released a notice from the bog, which stated: “There has been some discussion around a publicly posted PoC code that exploits a vulnerability in IIS FTP 7.5, which ships with Windows 7 and Windows Server 2008 R2. Our engineering team is looking into the situation and has made a few preliminary observations that might clear up some confusion.”
It added that although it had found that it was a Denial of Service vulnerability remote code execution was unlikely.
“The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response. The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of the IAC character. Due to an error in this processing, it is possible to get into a state where an attacker could overwrite a portion of the response with a string of 0xFFs even past the end of the heap buffer, resulting in a heap buffer overrun,” the blog said.
“In that situation, the only data that a malicious client controls in this overrun is the number of bytes by which the buffer is overrun. It cannot control the data that is overwritten — the data will always be the IAC character 0xFF.”
The malicious code, however, didn’t control the addresses where data is overridden. This plus the fact that the FTP service 7.5 was also protected by Data Execution Prevention (DEP) meant that the attack would only be a denial of service and not code execution.