Article

Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability

Robert Westervelt, News Director

SearchSecurity.com:

To get security news and tips delivered to your inbox, click here to sign up for

    Requires Free Membership to View

our free newsletter.

Security researchers have discovered a Microsoft Internet Information Services (IIS) zero-day vulnerability that could be used by an attacker to upload malicious code on a Web server.

The vulnerability was acknowledged by Microsoft on Sunday. The IIS file parsing extension vulnerability can be executed by passing files with multiple extensions separated by a semi-colon. Proof-of-concept exploit code works on IIS 6 and prior versions, according to a report by Guy Bruneau of Ottawa, Canada-based security firm IPSS Inc. in the Sans Internet Storm Center Diary. 

Microsoft updates:

Dec. - Microsoft gives Internet Explorer a major security overhaul: The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November.

Nov. - Microsoft patches serious Windows kernel flaws: Vulnerabilities in several Windows kernel drivers could be remotely exploited to gain complete access to a system.

Microsoft security program manager Jerry Bryant dismissed the critical nature of the IIS 6.0 vulnerability. In a Microsoft Security Response Center (MSRC) blog entry, Bryant said the IIS Web server must be in a non-default, unsafe configuration in order to be vulnerable. Microsoft is also unaware of any active attacks targeting the vulnerability, he said.

"An attacker would have to be authenticated and have write access to a directory on the Web server with execute permissions, which does not align with best practices or guidance Microsoft provides for secure server configuration," Bryant said.

Danish vulnerability clearinghouse Secunia gave the vulnerability a less critical rating. In its advisory, Secunia credits researcher Soroush Dalili with discovering the IIS vulnerability. As a workaround until a patch is released, administrators can restrict file uploads to trusted users or remote executables for upload directories, Secunia said. 

Bryant said the vulnerability was not responsibly disclosed. Microsoft engineers began researching the vulnerability when a new claim surfaced last week.

In September Microsoft issued an advisory acknowledging three FTP vulnerabilities in the IIS Web server that would have enabled an unauthenticated hacker to pull off a successful attack. IIS proof-of-concept code was publicly available for the vulnerability. Microsoft released a patch rated important in October repairing the IIS vulnerabilities in a record patching month.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: