Recently in Security Category

The exploit for the Internet Explorer 6 and 7 vulnerability announced yesterday (KB981374) is public now. Late yesterday, Moshe Ben Abu published a Metasploit Module for the exploit after tracking down the exploit to a webpage.

> But Microsoft also released advisory KB981374 which describes a 0-day vulnerability
> reported to Microsoft only recently. At the moment only a limited number of targeted
> attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason
> to update to this latest version of IE. There are not a lot of details available on the
> vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.

The standard bulletins cover Windows Movie Maker/Producer and Office:

• MS10-016 - possible code execution in Windows Movie Maker - ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
• MS10-017 - possible code execution in Microsoft Excel - ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.

But Microsoft also released advisory KB981374 which describes a 0-day vulnerability reported to Microsoft only recently. At the moment only a limited number of targeted attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE. There are not a lot of details available on the vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.

References:

• Microsoft March 2010 Bulletin
• Qualys Security Alert
  

After the massive February update Microsoft will only release 2 Bulletins next week. Both are rated as "important," a medium criticality rating for Microsoft. The first bulletin is for the Windows Operating System affecting the only desktop platforms XP, Vista and Windows 7. The second Bulletin is for Microsoft Office and applies to all versions on Windows (Office XP, 2003 and 2007) and Mac OS X (Office 2004 and 2008), plus SharePoint and the Excel Viewer.

The lower criticality ratings allow IT admins more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end users frequently trust open office format files such as Excel due to their business oriented, serious nature.

Microsoft issued earlier this week an advisory KB981169 for a clever attack through Internet Explorer. It requires the end user to press F1 in a pop-up box, so the main defense is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.

Stay tuned for our detailed analysis on next Tuesday.

References:

• Microsoft Advanced Notification for March 2010
• Vulnerability in VBScript Could Allow Remote Code Execution

For the last couple of months we have participated in the Cloud Security Alliance's project "Top Threats to Cloud Computing". A first version will be published at RSA 2010 at the Cloud Security Alliance Summit during RSA 2010.

Please help us with this effort by completing the Top Threats Survey. The survey takes about 5 minutes to complete and will help us understand whether we are on the right track with the areas covered.

The idea is to present summarized results of this survey at RSA. The project will continue to evolve after the conference as we incoporate your feedback.

Come see the results at the Cloud Security Alliance Summit !

Updated: The Patch for Adobe Reader (9.3.1) is now available - one of the flaws CVE-2010-0188 was found by Microsoft's Research Team.

Adobe announced a number of updates yesterday out of their normal 3-month cycle: APSB10-06 addresses a critical flaw in Adobe Flash and AIR. APSB10-07 is the announcement for an Adobe Reader and Acrobat update that will come out next Tuesday. It applicable to Windows, MAC OS X and Unix and critical as well.

Microsoft's February 2010 Patch Tuesday was slated to be the biggest release for Microsoft fixes in the last two years - 14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.

There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.

Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.

MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.

MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.

Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.

References:

• Microsoft Security Bulletin
• Technical insight from Microsoft
• SANS ranking for February 2010 patches

Microsoft released today the patch for the critical Internet Explorer 0-day flaw that has been widely covered by us and the security community in general. MS10-002 fixes a total of 8 vulnerabilities, including the 0-day which is identified as CVE-2010-0249 and is attributed to Meron Sellem from BugSec.

In the MSRC blog post announcing the release, Microsoft gives some insight on how they were able to turn around this patch in record time. Meron had reported the vulnerability in late August of 2009 and Microsoft had it confirmed in early September. By the time of public disclosure of the attacks against Google and others, the fix was in essence ready and tested. It was slated for release in the February Patch bulletin. Microsoft had to decide whether an out-of-band release of the patch was warranted or whether to bundle it into the February release as originally planned. An out-of-band release causes additional work for IT administrators that are tasked with addressing operating system vulnerabilities and are have been feeling the strain of keeping updated the growing number of software packages that attackers are increasingly targeting.

Nevertheless, given that exploits are available and that security researchers have shown that DEP as a defense can be circumvented, we recommend applying this update as soon as possible.

Hi this is Richie again with some updates:

Internally we do not think of the IE 0-day that was released last week isn't something that is new or unique. Every couple of months a new exploit for a critical vulnerability is discovered in the browser space and all major browsers see their share. Exploits of these types are commonly used in targeted attacks ("spear-phisihing") against corporations. What is new is that the affected organizations are coming forward with information on the attacks - a positive trend that we encourage and hope will continue.

Technically, the attack was focused on the browser/OS combination IE6 and Windows XP, both close to 10 years old and near end of life. Microsoft has put a lot of work into increasing attack mitigation and surface hardening that reduces the risk of successful exploitation on newer versions of the Windows Operating System (Vista, Windows 2008, Windows 7). In general users should upgrade to a modern OS/Browser combination, at minimum the browser should be updated to IE8 or another modern browser.

As of now, the attacks are limited to a small target population and we have not seen widespread use of the exploit. We expect that to change in the coming days since details of the vulnerability have been made publicly available. Microsoft has released a Fix-It which will turn on DEP for IE and help mitigate the attack. However there is active research going on to bypass the DEP measure and its effectiveness could be limited.

Further Microsoft has indicated that they will release an out-of-band patch for this issue soon. We will keep you updated with new developments as they arise.

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

Hi, my name is Richie Lai and I am the Director of Vulnerability Research here at Qualys. Some of you might have seen me with Wolfgang during our monthly patch Tuesday webcasts. We have been tracking some developments surrounding a 0-day in Internet explorer and I just wanted to give everyone information we've gathered.

Today Microsoft released an advisory for Internet Explorer versions 6 above and on all platforms up to Win7. The current exploit that is in the wild results in code execution only on Internet Explorer 6 on XP. The vulnerability exists in IE DOM parsing resulting in a dangling pointer potentially exploitable for remote code execution. Even though the advisory lists all platforms as affected, there are a few mitigating factors.

First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system. While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running. Which is where the second mitigating factor comes in, Address Space Layout Randomization (ASLR). On platforms where both DEP and ASLR are enabled, exploitation is extremely difficult. In the mean time, we suggest Windows XP users run Microsoft's "Fix-It" from the advisory which will enable DEP for IE 6 or 7 on XP. Table outlining the current exploitability across all platforms and IE versions listed below. As you can see, having the most updated browser will significantly reduce your exposure to this vulnerability at this time. We will update you as we get more information regarding this development.

	Windows 2000	Windows XP	Windows 2003	Windows Vista	Windows 2008	Windows 7
IE 6	exploitable	exploitable	DEP protected	N/A	N/A	N/A
IE 7	N/A	exploitable	DEP protected	Protected by Protected Mode	N/A	N/A
IE 8	N/A	DEP protected with XPSP3	DEP protected	DEP and ASLR Protected	DEP and ASLR Protected	DEP and ASLR Protected

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

McAfee's CTO George Kurtz just published some deeper insight into the attacks against Google. According to him a 0-day vulnerability in Internet Explorer was used. Microsoft has just issued an advisory KB979352 acknowledging the vulnerability on all versions of Internet Explorer, except IE v5.

It looks as if the Adobe Reader 0-day was not directly involved, contrary to what we had assumed so far.

We will update this post when further information comes to our attention.

References:

• Wired post by Kim Zetter
• CNET News by Elinor Mills

Yesterday Adobe Systems updated its Reader product to fix a total of eight vulnerabilities. Out of the eight vulnerabilities, six allow remote code execution and are critical. One of the flaws addressed was CVE-2009-4324, the 0-day vulnerability which has had exploits in the wild since December 14 2009, roughly a month ago. This vulnerability is exploited by including malicious code in a PDF document and triggered by executing an embedded JavaScript program. The PDF can be delivered through e-mail or downloaded from a website, making it a fairly easy attack to execute. Interestingly enough it seems that this particular flaw was used in against Adobe itself as pointed out by Elinor Mills at CNET.

Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.

The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.

References:

• Original Adobe Advisory
• Qualys Advisory - QID 116768
• Adobe Blog post on breach

http://www.youtube.com/watch?v=q82o4y7CKmk

Microsoft starts 2010 slowly - a single bulletin containing one vulnerability in the embedded OpenType Font (EOT) engine. Due to the memory model in Windows 2000 the vulnerability is critical on that version of the Windows Operating System, all others receive a low severity rating. The flaw can be exploited through any OpenType enabled application such as Internet Explorer, PowerPoint, Word, etc by viewing a webpage or a document. Users of Windows 2000 should upgrade as quickly as possible.

There are 2 significant releases from other vendors today:

• Oracle has released their quarterly Critical Patch Update today. It contains 25 fixes for 7 of their products, including application servers and database engine. The majority of the vulnerabilities are remotely exploitable without authentication and IT admins should be taking a close look at the exposure these products have in their networks. In general database engines should have no necessity to be connected to open networks, but the application servers are very likely exposed.
• Adobe is also publishing their quarterly patch - and it will address a vulnerability in Adobe Reader that was documented as being actively exploited in the wild since the week before Christmas. There are workarounds are available, the official recommendation is to blacklist the JavaScript function that is being exploited. Blacklisting is a capability introduced by Adobe in their last update to Adobe Reader v9 and v8 in October 2009 and might not be familiar to many IT admins yet. An alternative recommendation is to turn off JavaScript completely in Adobe Reader - JavaScript has played a major role in the exploitation of Adobe Reader in 2009, so this a good preventive and defensive measure. As this setting disables functionality potentially needed by users, IT admins need to evaluate their individual situations.
  
  This release is also introducing the new Adobe updater process, which will according to Brad Arkin's tweet come preconfigured for automatic, silent updates à la Google Chrome

Intevydis, a security research company in Russia has announced last week that they will publish server-based 0-day vulnerabilities for the next 3 weeks. The first two are live and have POC code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further development.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

Over the weekend Jericho published on the OSVDB blog an analysis of annual vulnerability numbers that Elinor Mills from CNET had written about on Thursday in her InSecurity Complex blog. Some of the numbers originated from Qualys and we were not specific enough on the exact scope. As Jericho speculated our numbers were indeed for a more narrow set of products - not for all of Adobe and Microsoft software, but specifically for Adobe Reader and Microsoft Office. Elinor has since updated the article.

The overall point that we are trying to make remains the same - patching such applications is being neglected by most IT admins and attackers have increasingly shifted their attention to exploiting vulnerabilities in them. On Friday Brad Arkin from Adobe stated that Adobe Reader as a cross operating system application has a bigger installed base than Microsoft Windows, which makes it a very attractive target to attack.

What is your opinion on why the number of vulnerabilities found in Adobe Reader have gone up in 2009? Did attackers first notice that there was a potential, started writing exploits and then security researchers followed up or was it the other way around?

I am looking forward for your comments...

Yesterday Adobe's PSIRT acknowledged a flaw in Adobe Reader in the handling of PDF documents that is being exploited in the wild. The flaw affects Adobe Reader under Windows, MAC OS X and Linux/Unix.Symantec identifies the attack as Trojan-Pidief.H.

The ISC's handler on duty Pedro Bueno posted additional information.

Stay tuned for more information about potential workarounds - some have suggested turning off JavaScript in Adobe Reader which we think is a best practice anyway, but we do not know whether this is helpful for this attack.

Update: according to the advisory turning off Javascript is the recommended workaround, and enabling DEP in newer version of Windows provides further protection.

A new 0-day flaw in the Microsoft's SMB protocol implementation in Windows 7 and 2008/R2 was published by Laurent Gaffié on Wednesday of last week, one day after Microsoft's November Patch Tuesday. The flaw was acknowledged on Friday by Microsoft as KB977544.

The exploit involves tricking an end user to click on a link to a server with a malicious configuration, which causes the machine to become unresponsive requiring a reboot. The flaw is unrelated to the recent SMBv2 problem (MS09-050). The recommended workaround at the moment is to prohibit outgoing traffic for the ports used by SMB 139 and 445 with a firewall. This type of egress filtering is already considered a best practice, but such a configuration involves additional work and I doubt that it is consistently implemented.

However, the vulnerability is not very "useful" as it involves user interaction and "only" locks up the target machine. A typical attacker that goes through the work of tricking users to click on a link will use an exploit that allows him to control the target machine after execution. For Microsoft the vulnerability represents a trigger to review and improve the part of the SDL process that did not catch the flaw.

Laurent is doing excellent security research work here on Windows 7 just as 2 months ago, but the discussion on "full" vs. "responsible" disclosure will certainly be revived by his post. While we do not know the exact details for Laurent's exchange with Microsoft, we believe that "responsible disclosure" is the more productive mechanism to improve Internet security by fostering collaboration.

References:

• ISC blog post - great information
• Qualys ID 90569

Today Microsoft released patches for 6 security updates that address 15 individual vulnerabilities. Three patches were rated as critical and the other 3 are rates as important. Here is a recap of today's advisory:

• MS09-065 was rated as Critical due to the EOT (Embedded Open Type Font) vulnerability in which an attacker can execute arbitrary commands on the victim's computer. This can be achieved by enticing the victim to visit a web page with malicious EOT fonts or open an e-mail which contains malicious content. A proof of concept that causes the application to crash is publicly disclosed. All Windows operating systems except Windows 7 and Windows 2008 R2 are affected.
  We can expect working exploits soon and this is the most critical vulnerability to address - for users that cannot patch the vulnerability immediately Microsoft has provided also some workarounds in a detailed blog post including instructions on how to use GPOs to roll them out in an automated way.

• MS09-063 and MS09-064 are critical as well as they allow a remote un-authenticated attacker to send malicious packets to the affected systems to cause a remote code execution. MS09-063 is limited to attacks from the local subnet.

• MS09-067 and MS09-068 affect Microsoft Excel and Word. They are standard file format issues that affect consumers and enterprise users alike.

• Three of the six advisories (MS09-063, MS09-064 and MS09-066) have listening ports open which can be targeted for network based attacks.

The newer OS versions Windows 7 and Windows 2008 R2 were not affected by any of the bulletins released today, a good indication of the progress that Microsoft has made in securing the base Operating System.

In a similar way the security features included in the new Office 2010 would have prevented both MS09-067 and MS09-068. We saw a demo of these features the other day at BlueHat and the strict sandboxing imposed on files that are received through e-mail or Internet download should take care of 2 of the main attack vectors for this type of exploit.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

October's 2009 Microsoft Patch Tuesday is a massive release with 13 advisories covering 34 vulnerabilities. 2 advisories address last month's 0-day vulnerabilities - SMBv2 and FTP for IIS in a very quick turn-around. However another 6 vulnerabilities are tagged as having information disclosed publicly before today's patch release. Of the total set of vulnerabilities a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for 2 critical vulnerabilities - one of them disclosed at the Black Hat Security conference.

MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.

The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.

Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.

Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

Security Researchers at Immunity have released today an exploit for the SMB2 flaw in Vista/2008, as reported today by The Register's Dan Goodin. The code is available under the Canvas Early Updates program and a paid subscription is needed to access it.

The Exploit works on all versions of Vista and Windows 2008 with the exception of 2008 R2. Microsoft has described in this advisory a workaround, amounting to turning off SMB2. The implementation of this workaround is now becoming critical as attackers will have access to the code soon, in the most optimistic case next week when HDMoore thinks that Metasploit will have the exploit implemented.

The SANS Institute just published the Top Cyber Security Risks Report for the first half of 2009. In this report TippingPoint, SANS and Qualys collaborated using attack, vulnerability and forensics data to provide the latest trends in the security field.

Enterprise IT administrators and tech savvy computer end users alike will find interesting information that will help them secure their computers against current threats in the typical software installed on their machines, such as Adobe Reader and Flash, Apple QuickTime, Microsoft Office and Sun Java. The report clearly demonstrates a lag in installing security patches to these productivity applications, despite the attention they get in the press and from the security community. Since all of them are widely installed in businesses, we advise organizations to treat them with the same attention as OS and network vulnerabilities patches and to include them in their regular patching process.

This month Microsoft released 5 critical advisories, addressing a total of 8 vulnerabilities. The focus is on the Windows Operating System family and all versions are affected. The notable exception is Windows 7 which is a pleasant surprise and most likely an outcome of the additional security measure implemented in this latest version of Windows.

MS09-045 and MS09-047 are client side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player. They require user actions for a successful exploit, but attackers have the necessary tools in place to entice users to visit infected web pages and open malicious media files. MS09-048 is a "classical" network vulnerability of a type that we have not seen in a while: it is located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network, however Microsoft rates the exploitation difficulty as high. MS09-049 is a very interesting attack on the WLAN auto-configuration service of Vista and Windows 2008, it requires a malicious Access Point to be in WIFI range, which limits the number of machines that can be attacked at any given time. We recommend that customers focus on MS09-045 and MS09-047 due the high likely hood of exploits.

As previously announced Microsoft did not address the IIS FTP 0-day vulnerability that was made public last week. In addition yesterday a security researcher disclosed a vulnerability in the file sharing protocol (SMB2) of Vista, 2008 and potentially Windows 7. We expect Microsoft to monitor the extent of exploitation of these 2 new vulnerabilities and continue to provide guidance for workarounds.

Update: Microsoft has acknowledged the SMB2 vulnerability and provided a workaround in advisory 975497, suggesting to disable the SMB2 protocol, machines would then fallback to the older SMB protocol for filesharing.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

Yesterday the Mozilla foundation announced on their security blog that Firefox will start checking for outdated Flash plug-ins. This is a great way of improving the security of web browsers, Flash is often used by attackers to exploit client machines and unfortunately notoriously difficult to update, requiring (on Windows) different update packages for Internet Explorer and all other browsers.

Now we just need to convince Hillary Clinton to let the Department of State use Firefox.



As you can see this worked fine for me on my Mac under Firefox 3.0.14

This Monday proof of concept exploit code for a Microsoft IIS FTP vulnerability was posted to the milw0rm site. The code allows the attacker to take control of the machine that runs the vulnerable FTP server and can easily be automated and turned into a mass attack tool by combining it with a scanning tool. In order to be exploitable, the vulnerable FTP server need to allow write access and the creation of directories. Unfortunately, even anonymous write access is good enough to make the server vulnerable, but nevertheless this cuts down on the number of potential targets.

Microsoft acknowledged the vulnerability and published an advisory 975191 this afternoon and list 5.0, 5.1, 6.0 and also 7.0 as affected. The advisory suggests as work-arounds to either disable FTP altogether, limit access to only authorized and named users or use NTFS capabilities to prohibit the creation of directories on the server. The NTFS solution seems to be the way to go for users that cannot make a bigger change to their FTP services and has minimal impact, so it is a good interim solution until a real patch comes out. We don't expect this problem to be addressed in next week's Patch Tuesday release as the Development and QA time are too long; it makes sense to prepare for a longer period without a real solution. An alternate way of dealing with the problem is to evaluate whether a robust FTP server with more granular management capabilities can be deployed instead of the one built-in within IIS.

HD Moore ported the exploit code to his Metasploit project yesterday. This makes it even simpler for IT administrators to demonstrate the existence of the exploit and argue for the deployment of an alternative FTP server.

Updated to include IIS 7.0 as Microsoft amended their advisory on 9/3/2009