Solution to IIS Security Bug Is to Upgrade?

An authentication bug in Microsoft IIS 5.x surfaced last December. Recently Microsoft said that the fix is to upgrade to IIS 6.0, which essentially means that the company won't be producing a patch and will thereby leave IIS 5.x users vulnerable.

The problem, discovered by Joao Gouveia and John Omerni, lets someone use the search highlighting feature built into Index Server 2.0 (a part of the IIS 5.x platform) to completely bypass any authentication requirements and readily gain access to restricted content.

Microsoft's statement that such behavior in IIS 5.x "is by design" came as a shock to many administrators. Some wondered why, if that's true, this "design" doesn't exist in IIS 6.0. The shock was furthered by Microsoft's suggestion that administrators should upgrade, because in order to use IIS 6.0, administrators might also have to upgrade their server OSs to Windows Server 2003, which is a big step with considerable costs.

Potential workarounds exist to help prevent exploitation, a few of which include using URLScan, removing file mappings to .htw files, and setting file permissions. However, some say that ultimately Microsoft should issue a patch instead of forcing people to change platforms. SANS goes so far as to suggest that one possible workaround is to simply ditch IIS and migrate to Apache Web server instead.

Microsoft published an article, "Hit-highlighting does not rely on IIS authentication," about the problem on June 4, and controversy was further fueled by the fact that the company had actually provided an example in the article that essentially showed how to exploit the vulnerability. That example has since been removed from the article.