A zero-day is on its way to affect approximately 600,000 systems out there which is being exploited by hackers worldwide, and Microsoft says that no fix would be provided because they are operating on unsupported software.
Security researchers at the South China University of Technology discovered vulnerabilities on the Windows Server 2003 running IIS6 and posted proof-of-concept exploit on Github. The vulnerability is documented in CVE-2017-7269 and the two researchers say it was first exploited in mid-2016 but it went public last week when more hackers started working on code to use to use it in their attacks.
Specifically speaking, the research stated that the security issues affects the IIS WebDAV Component and can be exploited using a crafted request using the PROPFIND command. A successful attack leads to denial of service or arbitrary code execution. Also security company Trend Micro has stated that even an unsuccessful attack can lead to opening of the door to denial of service.
Although around 600,000 systems are slated to be affected by the attacks, Microsoft will not be providing a patch, reason being the Windows Server 2003 no longer receives support as of 2015, so the company encourages customers to upgrade to remain secure.
“This issue does not affect currently supported versions. We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection,” the firm said in a statement.
Trend micro has stated that users who are still running on Windows Server 2003 and who cannot upgrade to newer versions of the operating system can disable the WebDAV service on the vulnerable systems.
The motive behind the Zero-Day vulnerability shows that running unsupported software is a very risky decision, especially for companies whose computers might be storing confidential data. This does not mean that everyone is ready to give up on old and unsupported software, and Windows XP is living proof.
At this point, more than 7 per cent of the world’s PCs are running on Windows XP, even though support is no longer offered since 2014, so every single vulnerability in the operating system remains un-patched....