Microsoft issues server flaw advisory

Software giant Microsoft issued a warning on Thursday about a flaw that could put Web hosting providers at risk.

According to Microsoft's security advisory on the vulnerability, the bug affects Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista and Windows Server 2008.

The problem exists in Windows' handling of code within its Internet Information Services and SQL Server and if exploited, could enable malicious local users who have authentication to execute specially crafted code to raise their privileges to LocalSystem.

"Hosting providers may be at increased risk from this elevation of privilege vulnerability," writes Microsoft in its advisory.

According to reports on, Microsoft has yet to receive any reports of the vulnerability being targeted, but security experts have already warned of a possible attack.

"The vulnerability is limited to a local privilege escalation, but IIS' susceptibility is concerning," writes McAfee researcher Karthik Raman on his blog. "The Web server is widely used on the Internet, and is a top pick by Web hosting providers. We might see Web hosting providers targeted, and - this is scary - their clients' Web sites breached."

No patch is currently available, but it is believed that Microsoft has issued workaround instructions for IIS 6.0 and IIS 7.0.

The software giant says it is still investigating the report and will make a decision on whether to issue a patch immediately or wait until its next scheduled security update on May 13.

print this article

Return to hosting news headlines
View Hosting News Archive

Share with: