Microsoft refuses to fix security flaw in 600,000 Windows Server 2003-based web servers

Security flaw affects Windows Server 2003 machines with WebDAV enabled

As many as 600,000 Windows Server 2003 installations still connected to the internet today could be vulnerable to a major security flaw in Microsoft Internet Information Services (IIS) 6.0.

However, Microsoft has warned that it has no plans to issue a patch to enable users to protect themselves against the zero-day buffer overflow vulnerability. A full technical write-up can be read here: CVE-2017-7269.

The vulnerability appears in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft's web server IIS 6.0. WebDAV is an extension of the HTTP protocol that allows clients to write web content remotely.

WebDAV has a method called PROPFIND which allows a user to retrieve properties of a resource. There is also a header called IF which handles the state token. By issuing an overly large IF header in a PROPFIND request, an attacker may be able to create a denial of service condition or run arbitrary code in an application, reports security vendor Trend Micro in a blog post.

The vulnerability was found by researchers Zhiniang Peng and Chen Wu of the South China University of Technology Guangzhou, China. The researchers say that it has already been exploited in the wild with incidents observed last year. It was made public on March 27th and the researchers say that "other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code".

The vulnerability was found in systems running IIS 6.0 on Windows Server 2003 R2. The extended support period for Windows Server 2003 by Microsoft ended 20 months ago, so there is no official security fix for this issue.

IIS 6.0 is still running on more than 600,000 publicly accessible servers, according to the internet-connected device search engine Shodan, and most of these are likely to be running Windows 2003.

However, the true number of these servers that are actually vulnerable is unclear. For a start there may be many more operational servers that are unaccessible to the internet. Secondly many will not have WebDAV enabled. Researcher Iraklis Mathiopoulos found that only 10 per cent of those discovered by Shodan appear to be running WebDAV.

A patch for CVE-2017-7269 has been released by Opatch, but in the absence of an official fix, users are urged to disable WebDAV and if possible upgrade to a newer operating system.

It's not the first time that Microsoft has cold-shouldered Windows Server 2003 when it comes to issuing fixes for serious security flaws. Back in February 2015, the company decided against issuing a patch for a year-old flaw in the software because of the effort that would be required in order to craft a fix for it.