Exploit for Microsoft’s old IIS6 web server published, potentially affecting millions of sites

Kareem Anderson

Being the world’s most used desktop operating system often means that each day a new bulls eye is drawn on its back as attackers seek to use it a vessel for their own personal gains. The Microsoft Windows and security teams are constantly dealing with an exploit or nefarious piece of code daily, and recently a zero-day vulnerability cropped up that should have the teams and website developers working to patch sites hosted on Microsoft IIS 6 web servers from attacks but they most likely won’t.

According to a report from PCWorld, a proof-of-concept exploit has been published regarding Microsoft’s Internet Information Services 6.0. While that version is not being supported it is still being used these days and the exploit still poses a big issue.

The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003.

Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.

Worse yet, a recent publishing of the exploit on GitHub has potentially put it in the hands of countless hackers seeking to cause harm or manipulate the code to create other threat actors based on the original proof-of-concept. According to a web analytics from the firm Netcraft, there could be up to 185 million websites still hosted on 300,000 servers vulnerable to this exploit because they are running Windows Server 2003. Since Windows Server 2003 is no longer being supported, Microsoft is not offering a patch or a solution to this vulnerability.

However, for those still using IIS 6.0 a possible way to mitigate the vulnerability is to disable the WebDAV service that accompanies the installation. There are also some other free micro patches that can be applied such as ARCOS Security’s offering.

Logically, the best solution is to move old websites built on this server to newer and supported IIS and Windows Server.