At first glance, the recently disclosed buffer overflow vulnerability affecting Microsoft IIS 6.0 might appear to be a minor affair. Despite being exploitable with code in the wild, the latest version of the extensible web server is 10 after all. With version 6.0 released many iterations ago, isn’t it considered to be out of date and no longer in production?
Unfortunately, that’s not the case. A search using Shodan reveals that IIS 6.0 is in use in the US, China, the UK, Hong Kong, and Canada with hundreds of thousands of instances running. Many companies may still be using IIS 6.0 to run critical applications. Iraklis Mathiopoulos has done some great calculations about how many instances might actually be vulnerable, based on which headers are enabled. Upgrading may not be a possibility due to legacy hardware or to retain compatibility across services. This is not uncommon. Since Microsoft no longer supports IIS 6.0, IT leaders will be searching for an effective compensating control to ensure the vulnerability, CVE-2017-7269, cannot be exploited by a malicious actor.
Oracle Dyn’s fully-managed web application security platform is one effective means to protect your sites running on IIS from exploits of this vulnerability and other malicious activity. With a Web Application Firewall, content delivery, bot protection, and access control rules, the cloud-based security control sees every malicious request that is sent to your origin and blocks it.
Oracle Dyn has already crafted a new rule to address CVE-2017-7269, which builds on our rich ruleset that forms the custom security profile for every domain we protect. Every action taken and logs are stored in the industry’s best management portal. With Oracle Dyn’s protection, there is no need to cause downtime and increased risk while upgrading to a Microsoft supported platform, keep what you have without sacrificing security.