IIS flaw leaves NASDAQ open to attack

The web server of the NASDAQ stock exchange has been open to attack for over a year due to an unpatched flaw in Microsoft's IIS.

A NASDAQ representative exclusively told Network News last week: "Until recently the site was compromised, but now is secure."

NASDAQ did not apply a patch despite the fact Microsoft issued a security alert and fix when it was discovered in July last year. The bug affects the middle layer of IIS, where the web server interacts with products such as databases.

Malcolm Skinner, of security vendor Axent, said: "The hole allows control of the server. A glitch allowing execution of shell commands is a problem because administrators are dismissive of keeping patches up to date."

Russ Cooper, of NT BugTraq, said Compaq, Dell and CompuServe are examples of other companies that had also failed to apply the patch.

Compaq told Network News that Microsoft assured it the fix would be included when IIS was updated, but has since admitted that the automated fix doesn't work.

A corrected version is now available. Dell made no comment, but CompuServe said Microsoft alerted it to the problem last year when it took steps to make the site secure.

Cooper said network administrators are convinced their networks are impenetrable, and claimed it is difficult to convince them of security risks.

Neil Laver, internet product manager at Microsoft, said: "A fix was issued last year, which was 100 per cent secure at the time."

http://www.ntbugtraq.com

http://www.microsoft.com.