Microsoft is warning of an IIS zero-day vulnerability in Microsoft Internet Information Services (IIS) Web server, which if successfully exploited, could give an attacker elevated privileges to gain access to sensitive data.
Microsoft said a remote authentication bypass vulnerability exists in the WebDAV extension, a collection of tools used to publish content to IIS Web servers. The Web server does not properly decode a requested URL. An attacker can exploit the flaw by creating a specially crafted anonymous HTTP request to gain access to a location. Microsoft said the hack typically requires authentication.
Microsoft IIS versions 5.0-6.0 are affected. The software giant said it is unaware of any known attacks against the flaw in the wild. But the U.S. Computer Emergency Response Team issued an advisory warning on Monday that it is aware of publicly available exploit code and active exploitation of the vulnerability.
IIS security information:
Windows IIS server hardening checklist: Use this checklist on the job to secure your IIS server.
IIS security: Configure Web server permissions for better access control: Updating user access controls as business portfolios expand can help protect confidential data.
How to implement IIS authentication settings: In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin reviews how to set IIS authentication permissions and allow open access to Web sites hosted on IIS Web servers.
As a workaround, users can disable WebDAV functionality, Microsoft said. Users can also deny file system access control lists for anonymous user accounts or use NTFS access control lists to control access to resources on the server.
"Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Christopher Budd, the security response communications lead for Microsoft said in a statement.
The flaw was discovered by security researcher Nikolaos Rangos, who posted details to the Full Disclosure security mailing list. In his IIS advisory, Rangos said the flaw enables attackers to bypass password protected folders and upload or download files into a password protected WebDAV folder.
In its 971492 security advisory, Microsoft downplayed the severity of the flaw explaining several security features that must be bypassed to successfully exploit the flaw.
Microsoft said an attacker cannot exceed the level of access granted to the anonymous user account since the IIS file system verifies whether a file is accessible by a given user. Also, the anonymous user account only has read access. Microsoft said the WebDAV extension is not enabled in the default configuration, meaning that many organizations may not be using it.
Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating.