A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won’t issue a patch even though up to 600,000 servers could be running the unsupported software.
The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF’ header in a PROPFIND request.
The researchers said it’s not a theoretical risk as the flaw was exploited in the wild in July or August 2016. It was disclosed to the public this week.
“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro.
He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).
The affected versions of the web server software have not been supported since 2015 – Microsoft said it was unlikely to patch the affected code.
“This issue does not affect currently supported versions,” said a Microsoft spokesperson. “We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection.”
According to a search on IoT search engine Shodan, over 600,000 systems could be affected by the unpatched bug.
Bisht said that while Microsoft isn’t supporting and won’t be patching the old OS version anymore, organisations could mitigate the risk by disabling the WebDAV service on the vulnerable IIS 6.0 installation. He added that newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability.
While an official patch from Microsoft looks unlikely to ever surface, a third-party company is offering organisations an alternative to upgrading.
In a blog post, Acros CEO Mitja Kolsek said that to help maintainers of Windows Server 2003 computers block almost inevitable attacks under these unfavourable circumstances, “we decided to provide them a free solution: a micropatch for CVE-2017-7269, which they can apply on their machines not only without rebooting, but also without even restarting Internet Information Services.”
This article originally appeared at scmagazineuk.com