14 DAY TRIAL // A zero-day affecting approximately 600,000 systems out there is being exploited by hackers worldwide, and Microsoft says that no fix would be provided because they are running unsupported software.
Security researchers at the South China University of Technology discovered a vulnerability in Windows Server 2003 running IIS6 and posted a proof-of-concept exploit on Github. The vulnerability is documented in CVE-2017-7269 and the two researchers say it was first exploited in mid-2016 but it became public last week when more hackers started working on code to use it in their attacks.
Specifically, the research shows that the security issue affects the IIS WebDAV Component and can be exploited using a crafted request using the PROPFIND command. A successful attack leads to denial of service or arbitrary code execution, security company Trend Micro warns, who also adds that even an unsuccessful attack can open the door to denial of service.
No patch
Although so many computers are said to be exposed to attacks, Microsoft won’t provide a patch, and for good reason: Windows Server 2003 no longer receives support since 2015, so the company encourages customers to upgrade to remain secure.
“This issue does not affect currently supported versions. We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection,” the firm said in a statement.
Trend Micro says that customers running Windows Server 2003 who can’t upgrade to newer versions of the operating system can disable the WebDAV service on the vulnerable systems.
This zero-day vulnerability shows that running unsupported software is a very risky decision, especially for companies whose computers might be storing confidential data. This doesn’t necessarily mean that everyone is ready to give up on old and unsupported software, and Windows XP is living proof.
At this point, more than 7 percent of the world’s PCs are running Windows XP, even though support is no longer offered since 2014, so every single vulnerability in the operating system remains unpatched.