Millions of Websites Affected By Unpatched Flaw in Microsoft IIS 6 Web Server

A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used. From a report on PCWorld: The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003. Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.

Re:

[kilodelta]

Well yeah they are rock solid. I left IIS a very long time ago as I realized what an insecure piece of crap it was.

Microsoft Web Server?

[Anonymous Coward]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

Re:

[Anonymous Coward]

You can't understand this because you don't have a Masters of Business Administration degree.

Re:

[KiloByte]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

You're missing the baseball/handegg/etc tickets someone high in your company got.

Re:

[Anonymous Coward]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

- "It's working, why would we buy a new server?"
- "That's a business-critical application that has to run on Microsoft(tm) Windows(tm) Internet-Information-Server(tm), touch it and you're fired"
- "Just install a securiy-patch or something and stop whining"
- "what???? Windows2003 is end-of-life? Never heard of that, we need at least two years to plan a migration to Windows 2008.... oh fuck, that's also going eol next month???"

Re:

[mandark1967]

This pretty much summed up our last CIO Meeting.

Re:Microsoft Web Server?

[phantomfive]

Nginx wasn't around when the website was created.
It doesn't matter how secure your OS is if you're running a vulnerable web server. If you open telnet on OpenBSD, you can consider yourself pwned.
Nginx has a better record that IIS, but you know, it's not perfect [cvedetails.com]. Maybe you can run a proxy in front of it to defend against security vulns.

Re:

[Billly Gates]

Try running 1st build of nginx from last decade and let me know how that security is?

ASP.NET, C# and .NET are actually quite good.

[Anonymous Coward]

I suppose you've never used ASP.NET or C# or .NET at any point.

Well, it turns out that they're actually quite good. Their biggest drawback, until recently, was that they were only supported on Windows.

But in terms of functionality, they're even still lightyears ahead of anything the open source community has managed to create.

ASP.NET is a sane, sensible way of building large-scale web applications and web APIs. It provides useful abstractions, but without going totally overboard like so many Java web frameworks do. You won't be drowned in design pattern hell. But it also provides more structure than most PHP frameworks provide. Yet it isn't as inflexible and opinionated as Ruby on Rails is. It's as close as anyone has gotten to a practical balance.

C# is an excellent programming language. It took the best parts of languages like Java and C++, but discarded a lot of their failures. It's a much, much, much better language than PHP or Ruby or JavaScript. It has a great blend of strictness where it's useful, but while also being extraordinarily flexible when that's needed. .NET as a runtime is fast, light and performs very well. It puts the JVM to shame, and it blows the various Ruby and JavaScript interpreters/VMs to pieces. It also includes a complete and sane standard library. The only other library I've ever seen that comes close is Python's. It's hard to go back to Java's standard library after using .NET's, just because Java's ends up looking so inconsistent and dumb so much of the time.

Microsoft does a lot wrong, but ASP.NET, C# and .NET are some things that they've done so much better than anyone else, and nobody has caught up yet. The open source communities are still dicking around with PHP, Ruby on Rails, and worst of all, Node.js, none of which are anywhere near as good as what Microsoft has created.

Now we're seeing Microsoft port these technologies to Linux and macOS, which gets rid of their main drawback: the need for Windows.

Aside from using legacy applications, it's getting to the point where technologies like Ruby on Rails, PHP and Node.js should be seen as obsolete, as the cross-platform technologies Microsoft is now providing are so much better.

Re:

[PPH]

This may be so. And I'm not going to get pulled into a discussion of how good/bad .NET and its minions are. But it raises the question of why these organizations haven't moved up to a current, supported version of Windows Server and IIS.

Re:

[phantomfive]

I spent a couple years doing ASP.NET back in its heyday. I thought it was an over-engineered curiosity. Things like replacing standard HTML elements with ASP specific tags seemed bizarre. It sent so much data back to the server on every request that it felt bloated and wasteful.

But now.......compared to many popular frameworks, with whole pages written in Javascript (or non-standard JSX), or the bloated mess that is Angular, it seems positively genius. The <UpdatePanel> thing made Single Page Apps

Re:

[DrStrangluv]

If you're thinking pre-MVC web forms, ASP.Net is a whole different animal these days, and it's just about as nice as the author claims.

Re:

[phantomfive]

If you're thinking pre-MVC web forms

No.

Re:

[Gr8Apes]

ASP.NET sucked badly, even when people thought it was good. It was merely another attempt by MS to take over a standard. The koolaid JS framework of the day is no better, we certainly agree there. And UpdatePanel didn't show up until 2007? seriously? Guess we were ahead of our time. C# as a language is kind of schizophrenic - is it C, C++, or Java? Which is it? All 3? And if you doubt this, try writing secure system software with C#. It can't be done. You'll be in C so often you might as well write everythi

Re:

[phantomfive]

And UpdatePanel didn't show up until 2007? seriously? Guess we were ahead of our time

I don't think any other framework has something like that, but maybe I'm wrong.

Re:

[Gr8Apes]

It wasn't a framework, at least not one available publicly, but we built a web component in JS that essentially was an in place AJAX application that only loaded once back in 2004. I fully admit I freely built off of Google's suggest feature, a few weeks after it came out. I've since built a couple of variations of this concept in several different frameworks across the years for a number of customers and employers. At least a couple I know of are still using those apps. Now, is it as clean as a single cont

Re:

[phantomfive]

That's an interesting idea, maybe I'll try it.
The updatePanel is great because you don't have to do anything other than surround a desired section of HTML with an <UpdatePanel> tag and then anything inside it will get updated without a reload of the page.

Re:

[Gr8Apes]

That's pretty much the same thing with the particular JSF implementation we used. Since the server has the page representation, it controls what's sent down when something changes. The trick was in adding the appropriate pieces in the JSF based controls to enable the server partial pushes. I believe this particular feature is no longer possible because the implementation we used actually broke the JSF spec if you used it the way we did, and the "fix" was to refresh the page on update, precisely what we didn

Re:

[phantomfive]

That's pretty much the same thing with the particular JSF implementation we used.

I should probably look around harder, there are surely other frameworks that do it, too

Re:

[guruevi]

Please add sarcasm tags to your post.

Re: Microsoft Web Server?

[cyber-vandal]

Because rewriting all your ASP.NET apps to run under nginx costs a lot for little noticeable business benefit.

Re: Microsoft Web Server?

[cyber-vandal]

It's pretty easy really. Does the software (third party and in house) that we need to run our business run on OpenBSD? No. Is there an equivalent? No. How much will it cost to rewrite everything? Tens of millions and huge disruption. Ok we'll pay a fraction of that to threat mitigation companies instead. I have nothing against OpenBSD. It's an excellent piece of software, but there are so many things it doesn't run. If Windows could be replaced so easily it already would have been.

Re: Microsoft Web Server?

[phantomfive]

I'll put an unpatched Netware 4.12 server **directly on the internet**

That's a good idea. No one will know how to hack into it over IPX.

Re:

[ilsaloving]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Off the top of my head:
-Dependency on a microsoft technology from that era, eg ActiveX
-The application it runs was made by a consulting company and cannot be upgraded/replaced with something else without undo cost
-Because the administrator was/is a Minesweeper Consultant and Solitaire Expert who doesn't know anything about this linux stuff
-There is no administrator at all and the server is basically some dust-collecting artifact somewhere, running forever until the hardware fails.

Re:

[WaffleMonster]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

When most of these systems were created there were basically only two options. Apache or IIS.

Apache forked worker processes to handle each incoming web request separately. This gave it high reliability vs IIS as sloppiness or programming defects simply vanished when a forked process died.

With IIS errors accumulated until IIS went bonkers and crashed.

Yet apache sucked for data driven applications because you couldn't maintain connection/application state in-process without running some kind of proxy to so

Re:

[thegarbz]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Maybe because Nginx wasn't even released when Windows 2003 and IIS 6 were?

It is quite desirable to run something rather than nothing when you have to serve up a webpage.

It is even more desirable if you're a 100% MS shop.

And running Apache / Linux or Nginx / OpenBSD doesn't make you any less stupid if you don't upgrade your software to a current supported release.

There's nothing you can do about idiot admins

[Viol8]

Extended support finished 2 years ago yet apparently there are still many admins (I used that term advisedly) running public facing websites who think its perfectly acceptable to run this software. This is beyond moronic but short of giving them all a royal kick up the backside I can't see a solution unless the companies involved fancy paying MS $$$ for a fix just for them.

Re:There's nothing you can do about idiot admins

[bill_mcgonigle]

You'll be hard pressed to find even a Windows admin who wants to run 2003-era stuff now. But due to the high cost of Windows infrastructure , reluctant beancounters, and their lack of political savvy they have neither the manpower nor the budget to upgrade, and lack the confidence to quit over it.

Sure it's based on bad decisions from the past, but today they are paying the bill. And that cost may be having all of their private data exfiltrated.

The weak and foolish perish - same as always.

Re:

[Billly Gates]

Fuck em

I quit because of this. Server 2003 IS NOT SUPPORTED. It should be a HIPPA and PCI problem as how can you secure something that is not patched.

The IT directors need to know and get involved. Imagine a ransomware infection?

Re:

[Gr8Apes]

Imagine a ransomware infection?

It'd be hard, the ransomware would fail - expected function 'n' not available, crash....

Re:

[known_coward_69]

this is more about idiot developers who go all autistic at the thought of having to lift a finger to change code that won't work on newer versions of IIS

Re:

[Anonymous Coward]

Idiot developer is right. I'm not an expert web developer, but to me, coupling the web application to the web server seems like a terrible idea. Whoever did that needs to be clobbered with extreme prejudice.

At work, we run an nginx-uwsgi-django stack. I can pretty much swap any of those components out without breaking the other. Live. With split-second downtime.

In fact, that is what we did at some point. We threw out Apache and it's crappy wsgi implementation and put this in place with minimal effort. The a

Re:

[phantomfive]

Think if you could swap any of those components to their 2003 counterpart. Would it still work?

Apache sure would.

Re:

[WaffleMonster]

Idiot developer is right. I'm not an expert web developer, but to me, coupling the web application to the web server seems like a terrible idea.

IIS applications use well known published interfaces same as your uwsgi application.

Re:

[Cramer]

The issue is not the server, per se, but the components that can only be run from that old version. I have a few of those still around (toshiba pbx management engine: you give it its own VM and never fuck with any part of it! Shut down the VM when it's not being used.)

if he built things right in the first place

WRONG. Obviously you aren't a programmer, nor do you know any. Functions get changed, renamed, deprecated, and removed. No matter how well you write your java craplet, changes in the JRE will eventual

Re:

[Billly Gates]

Why would developers need to get involved? Asp.net is supported on more modern versions of IIS

Re:There's nothing you can do about IDIOT MBAs

[Billly Gates]

Problem is the guys in suits. Not the geeky admin. Unless there is a ROI it won't ever be upgraded. They work fine. Worse if they outsource to India to cut costs. These contract companies care more to appear cheap and brown nose their MBA clients than fix shit.

I left my last employer. One of the biggest but not sole reason was their shit never worked and I was always blamed. We have HIPPA requirements and freaking run them off IE 6 and store files on server 2003! Worse I replaced the tape drives 3 times bec

From 2003?

[MobyDisk]

independent web server surveys suggest that IIS 6.0 still powers millions of public websites

Whaa?? Who runs a public web site on a 14-year old version of the server???? [builtwith.com] That site claims 8 million of them!

Re:

[thegarbz]

Is the website still working? It looks okay on my 4k LCD screen so it must be running just fine. Why would you want money to upgrade something which works just fine?

Signed
Pointy Haired Boss.

Re:

[StormReaver]

Whaa?? Who runs a public web site on a 14-year old version of the server????

There are plenty of dumb people who still think that Windows belongs in a public-facing capacity. It doesn't matter which version of Windows you use to underpower your Web server. You were screwed the moment your management decided to use Microsoft.

Re:

[Gr8Apes]

Whaa?? Who runs a public web site on a 14-year old version of the server????

There are plenty of dumb people who still think that Windows belongs in a public-facing capacity. It doesn't matter which version of Windows you use to underpower your Web server. You were screwed the moment your management decided to use Microsoft.

Absolutely. Microsoft and servers do not belong in the same sentence.

No offense but

[Anonymous Coward]

But that's what you get for choosing a MS product.
As comparison: apache moved on to apache2 but you can still run apache(1) if you choose to, no matter the OS.
Its worse enough having to upgrade your servers to a new OS every few years. Its even worse to upgrade all web and database stuff to newer and usually not backward compatible stuff.
Only idiots think 5 years is a long time. Plenty stuff out there survives a few decades. Its not the new and shiny stuff that rules the cyberspace world but more often than

Re:

[BradleyUffner]

No, that's what you get for choosing a MS product that has been unsupported for 2 years now. Modern versions are just fine.

Re:No offense but

[thegarbz]

but you can still run apache(1) if you choose to

I assume you're talking about an Apache v1.x release. That would make you just as much an idiot as those whom you are mocking. The last Apache v1.x release was 1.3.42 and has been EOL for 5 years longer than IIS 6.

And no you can't just blindly upgrade either. Apache 2 dropped support for some OSes putting you in exactly the same boat, upgrade the OS or run an unpatched leaky sieve of a web server.

Only idiots think 5 years is a long time.

For critical infrastructure only idiots would run something for decades beyond it's support life. Especially something as bloody simple and easy to upgrade as a web server.

Re:

[Anonymous Coward]

Apache 2 dropped support for some OSes putting you in exactly the same boat

What does "support" have to do with anything? It's free software. Compile it for your "unsupported" OS.

Use Linux

[stooo]

Use. Linux.

Re:

[liooth]

This answer is as dumb, as it can get by biological means; not sure, if a specialized AI could beat that...

It's not about Windows vs. Linux, it's about management vs. IT. A 14 year old Linux server will not fare any better, in fact, it's a lot easier to build a shitty server with Linux than it is with Windows. I've done web servers with VMS, OS/2, Unix, Windows and Linux and you can build decent servers with any system, as long as you know, what you're doing. The key has always been to convince the CFO, tha

Re:

[hcs_$reboot]

This answer is as dumb, as it can get by biological means

Yeah, but you know on Linux people don't have to worry about the cost of a web server/OS - and when a patched or new version comes on the horizon. nobody thinks twice before upgrading (IIS depends biologically upon its OS, and often an IIS upgrade requires an OS upgrade).

This answer is as dumb, not sure, if a specialized AI could beat that...

If an AI can beat that, it's definitely not dumb!

Re:

[liooth]

Don't get me wrong: I'm not "pro-Windows" or "pro-Linux" in any way. They both are valid options, but you have to consider the consequences. Keeping a Linux system up-to-date is a bit more work than a Windows system, but the Linux ecosystem is a bit more "snappier" about security issues...

We should agree on a simple fact: running a webserver on a 14yr old system just isn't a good idea!

Re:

[liooth]

Yeah, but you know on Linux people don't have to worry about the cost of a web server/OS

Depending on your scope of responsibility and the number of customer systems, licensing costs are your least concerns. Right now, I'm in charge of ~150 Linux servers and ~40 Windows servers. The customers on Windows had no problems with 30 minutes of downtime on a Wednesday night (they know Windows update!), but the Linux customers were bitching around like puberting teenagers...

- and when a patched or new version comes on the horizon. nobody thinks twice before upgrading (IIS depends biologically upon its OS, and often an IIS upgrade requires an OS upgrade).

You never had to deal with C-level, right?

This answer is as dumb, not sure, if a specialized AI could beat that...

If an AI can beat that, it's definitely not dumb!

It has to be really smart to appear dumber... :)

Re:

[DrStrangluv]

I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS. Sure, you can in-place upgrade linux to a new version of the distro, but Windows allows in-place upgrades now, too. You have to pick your poison here. If you are updating, you're gonna have some of the same stability and migration issues on linux that you'll have going to a new version of Windows. If you're not updating, you're eventually running into the same security issues you get running old Wind

Re:

[Bert64]

Linux is more modular, the components are available with source code and the updated versions are both free and more likely to still be compatible with your existing hardware...

If you absolutely must keep an old version of linux running you have options - you can update the externally facing services yourself (eg nothing to stop you installing the latest openssh on an ancient linux kernel), you can patch and rebuild older source yourself, you can remove things you don't need to decrease the attack surface.

U

Re: Use Linux

[buchanmilne]

"I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS."

You haven't heard of Red Hat, or CentOS?

RHEL5 reached end of standard support yesterday, after just over 10 years. Extended support is available for anothwr 2.5 years:
https://access.redhat.com/supp... [redhat.com]

CentOS 5/6/7 have the same lifecycle:
https://linuxlifecycle.com/ [linuxlifecycle.com]

https://wiki.centos.org/About/... [centos.org]

"Windows can guarantee you a decade of security updates for a platform. I have to get it

Re:

[DickBreath]

It is about how you deploy the application. I was going to describe in more detail what I am doing, but it would be too long. In short, you deploy everything together on top of the OS. That is, in my case, I can change the Java runtime and Tomcat server as easily as upgrading the application. (In a nutshell: nothing is installed. Just folders with scripts that point to everything by pathname. Unpack new java runtime folders and new tomcat servers, alter script pathnames, etc. If the OS happens to be

Re:Use Linux

[thegarbz]

Use. Linux.

And what would that bring? Apache has the same support life as IIS.

IIS 6 and Windows 2003 came out in 2003 EOLed in 2015
Apache 2.0 and Linux 2.4.19 came out in 2003 EOLed in 2013 and 2012 respectively.

Silly take home message: You get a year longer support with MS.

Real take home message: Not using MS doesn't make you any less stupid of a system admin if you don't update your public facing software and run current in service life systems.

I have to ask...

[hAckz0r]

Serious question. What did Microsoft screw up so badly that nobody ever upgraded to a "better" (?) or more secure server?