There’s a Severe Privilege Escalation Vulnerability in Windows RPC Protocol That Microsoft Won’t Fix
Last updated September 23, 2021
Cybersecurity agencies may be promoting “best security practices,” nations are investing in training and bolstering programs, and network security organizations are calling for the adoption of “zero-trust” systems. Still, when considering how many companies and admins are using legacy, unsupported software, it all looks as if it’s done in vain. According to a research by CyberNews, over two million web servers worldwide are running an outdated and vulnerable version of Microsoft Internet Services (IIS) software, and this is only a snapshot of the situation focusing on a specific product.
The IIS has a market share of 12.4% in the webserver software field, and it’s used by 51.6 million websites and web apps. All versions from 7.5 and older are no longer supported by the company, so they carry several vulnerabilities that can be exploited by malicious actors. In most cases, these flaws have been documented while exploits and PoC (proof of concept) have been published. As such, crooks don’t even have to dig much or write any code themselves, as hitting these old versions is a matter of sourcing the right tools.
For context, the IIS 7.5 was released in Windows 7 all the way back in 2010, and support for it ended in January 2020. So, all the vulnerable systems that CyberNews investigators found online haven’t been updated for over a decade. The two countries that count the most vulnerable IIS servers are China and the U.S., with Hong Kong, South Korea, and Germany following behind with notable numbers too.
A possible explanation for this could be that most of these vulnerable deployments rely upon pirated Microsoft Windows copies used by admins who don’t know how to maintain and don’t care about upgrading their IIS tools at all. Many pirated versions of Windows cannot be upgraded at all as they have the relevant module disabled. In China, there are almost no compliance regulations to underpin software deployment, leading to situations like this one.
Most of the vulnerable systems run IIS version 7.5, a notable number runs 6.0 (released in Windows XP), and some run version 7.0, which is the most vulnerable branch of all, counting 17 known vulnerabilities. Version 7.5 has five documented flaws, more than enough to give hackers a handle on the systems.