Thursday, April 17, 2008

If you run IIS or SQL on any current flavor of Windows . . .

You might want to check this out -- soon -- and see if your configuration is at risk. Mitigation suggestions are included on the linked page.

http://www.microsoft.com/technet/security/advisory/951306.mspx

I smell a new worm rising from the dank depths of "teh inter-tubes . . ."

"Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability."

If you administer a website on a Windows Server based host, as opposed to a Unix or Linux based host, I strongly advise you to grab a backup of your entire site, and its databases (if you have such) right now.

There is a key phrase in the security alert that alarms me:

1) "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

Anytime MS talks about out-of-cycle updates, I take any other disclaimers they spout about "Microsoft not being aware of any attacks attempting to exploit the potential vulnerability" with a unhealthy dose of proverbial salt. Play it safe -- act as if the vulnerability is already actively being used to hack sites and servers.