Security researchers have discovered a Microsoft Internet Information Services (IIS) zero-day vulnerability that could be used by an attacker to upload malicious code on a Web server.
The vulnerability was acknowledged by Microsoft on Sunday. The IIS file parsing extension vulnerability can be executed by passing files with multiple extensions separated by a semi-colon. Proof-of-concept exploit code works on IIS 6 and prior versions, according to a report by Guy Bruneau of Ottawa, Canada-based security firm IPSS Inc. in the Sans Internet Storm Center Diary.
Nov. - Microsoft patches serious Windows kernel flaws: Vulnerabilities in several Windows kernel drivers could be remotely exploited to gain complete access to a system.
Microsoft security program manager Jerry Bryant dismissed the critical nature of the IIS 6.0 vulnerability. In a Microsoft Security Response Center (MSRC) blog entry, Bryant said the IIS Web server must be in a non-default, unsafe configuration in order to be vulnerable. Microsoft is also unaware of any active attacks targeting the vulnerability, he said.
"An attacker would have to be authenticated and have write access to a directory on the Web server with execute permissions, which does not align with best practices or guidance Microsoft provides for secure server configuration," Bryant said.
Danish vulnerability clearinghouse Secunia gave the vulnerability a less critical rating. In its advisory, Secunia credits researcher Soroush Dalili with discovering the IIS vulnerability. As a workaround until a patch is released, administrators can restrict file uploads to trusted users or remote executables for upload directories, Secunia said.
Bryant said the vulnerability was not responsibly disclosed. Microsoft engineers began researching the vulnerability when a new claim surfaced last week.
In September Microsoft issued an advisory acknowledging three FTP vulnerabilities in the IIS Web server that would have enabled an unauthenticated hacker to pull off a successful attack. IIS proof-of-concept code was publicly available for the vulnerability. Microsoft released a patch rated important in October repairing the IIS vulnerabilities in a record patching month.