CVE-2017-7269 is a buffer overflow vulnerability that is currently being exploited in the wild. Unfortunately, Microsoft doesn’t plan on fixing the flaw because the victims are running unsupported software. The vulnerability was discovered by researchers at South China University of Technology who shared a proof-of-concept exploit on Github. CVE-2017-7269 resides in Windows Server 2003 running IIS6. Apparently, it has been exploited in attacks in the middle of 2016 and is once again exploited in active campaigns.
CVE-2017-7269 Official Description
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with “If:
CVE-2017-7269 is a classical buffer overflow flaw that could be exploited with an overly large ‘IF’ header in the ‘PROPFIND’ request with at least two http resource in the IF header, explains TrendMicro. The result is either remote code execution or denial of service.
According to TrendMicro researchers, a successful exploit could lead to denial of service or arbitrary code execution. What is worse, even if the malicious attempt remains just an attempt, eventually it could still lead to denial of service.
Businesses Continue to Run Unsupported Software, Research Shows
However, the worst of it all is that Microsoft is not going to patch the flaw because Windows Server 2003 is no longer supported (since 2015). Instead of preparing a patch, the company urges vulnerable customers to upgrade to a supported version to avoid exploits.
The zero-day is a good illustration of what happen when running unsupported software. Attack scenarios can be fatal for companies and their sensitive data.
In addition, a recent Spiceworks research reveals that Windows 7 continues to be favored by businesses, whereas Windows 10 adoption continues to be slower that Microsoft anticipated. On top of that, Windows XP has more users in the business field than Windows 10, despite the fact it was launched in 2001 and it is no longer supported with security patches.