IIS vulnerability may cause security breach

Microsoft (www.microsoft.com) is investigating reports of a possible vulnerability in older versions of Microsoft Internet Information Services, a set of Internet-based services for servers, which is also the world's second most popular web server in terms of overall websites.

According to Microsoft's announcement, an "elevation of privilege" vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests, which could be exploited by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

"We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time," Microsoft said in a statement, noting that it is investigating the various public reports of the security loophole. "We are actively working with partners in our Microsoft Active Protections Program and our Microsoft Security Response Alliance program to provide information that they can use to provide broader protections to customers."

The vulnerability is only apparent in versions of IIS older than version 7.0, which is non-affected. Microsoft recommends users disable WebDAV functionality if it is not required on the server to stop possible attacks.

Microsoft may provide a security update through its monthly release process or providing an out-of-cycle security update, depending on customer needs.

The elevation of privilege vulnerability was made public last week by security researcher Nikolaos Rangos on the Full Disclosure mailing list, according to a ComputerWorld report. In response to Rangos' note, which said the bug had the potential to upload malicious files, however, Belgian researcher Thierry Zoller said it was impossible for an attacker to actually plant and run malware on the server.

No responsibility can be taken for the content of external Internet sites.

print this article

Return to hosting news headlines
View Hosting News Archive

Share with: