It’s been a busy few days on the IIS Security Team.
Earlier this week, a vulnerability was found in the IIS FTP server. We have been working with security teams across Microsoft to research the issue and formulate a response to best protect our customers.
Unfortunately, this finder chose to release the details of the vulnerability directly to the public instead of bringing it to our attention first. When this happens, we have competing priorities: We want to research the issue as thoroughly as we can. And at the same time, we want to get information out to our customers as soon as possible so that they can protect themselves.
In response to this issue, Microsoft issued Microsoft Security Advisory (975191) on Tuesday.
Earlier today, this same finder released information for a second vulnerability in the IIS FTP server. Again, the finder chose to release his information directly to the public. While this new finding is a different issue, the impact, migitations and workarounds are very similar to the first issue; similar enough that both issues are now addressed in the above advisory.
One significant difference is that different versions of FTP are affected in different ways. This has resulted in some confusion about determining whether a particular server is vulnerable or not. I will now attempt to clear up some of that confusion. Note that the primary source of information on the details is the security advisory. I will not discuss those details here.
I will cover the most straightforward cases first:
- Windows 2000 includes IIS 5.0, which includes FTP 5.0. All of the issues in the security apply to this version of the FTP server.
- Windows XP includes IIS 5.1, which includes FTP 5.1. All of the issues in the security advisory apply to this version of the FTP server.
- Windows 7 and Windows 2008 R2 both include IIS 7.5, which includes FTP 7.5. None of the issues in the security advisory apply to this version of the FTP server. It is unaffected by both these vulnerabilities.
The confusion arises with Windows 2003, Vista and Windows 2008. Windows 2003 contains IIS 6.0; Vista and Windows 2008 contain IIS 7.0. All of these platforms contain a version of FTP that we call FTP 6.0.
Only it’s not quite that simple.
We did some maintenance to FTP 6.0 between Windows 2003 and Vista. As a result of this work, the first of this week’s two findings applies only to the older flavor that ships with IIS 6. The second of this week’s findings apply to FTP 6.0 on all 3 Windows versions.
The version story is even more confusing because we released FTP 7.0 as an add-on component to Vista and Windows 2008 and has also made FTP 7.5 available for these operating system versions. Both FTP 7.0 and FTP 7.5 are unaffected by this week’s findings described in the above security advisory. If you are running the FTP server with Vista or Windows 2008 and have not yet upgraded the FTP server, we strongly recommend that you consider upgrading to FTP 7.5. We offer this upgrade for free. You can find details here.
If you are running the IIS FTP server on Windows 2003 or earlier, or if you choose to run FTP 6.0 on Vista or Windows 2008, please see the security advisory for the most current information on mitigations and workarounds.
I would like to touch on one other topic on the subject of IIS versions.
The IIS FTP server is hosted in the same process as the IIS Admin Service. In IIS 6.0 and earlier, all of the IIS services are dependent on this service. Because both vulnerabilities have the potential to terminate this process, a successful denial of service attack to FTP will also shut down all IIS services, including the web server.
IIS 7.0 has a different architecture and the IIS 7.0 web server is not dependent on the IIS Admin Service. For this reason, a successful denial of service attack against FTP 6.0 will not affect the IIS 7.0 web server.