Microsoft said an Internet Information Services (IIS) parsing extension issue,which could lead to a vulnerable system, is not a flaw that can be patched, but an IIS configuration error that can be avoided by following best practices.
The software giant issued an update on its blog last week, giving links outlining best practices for configuring the IIS Web server. A security expert warned last week about the discovery of a parsing extension vulnerability that could be exploited to pass malicious code and ultimately gain control of the Web server. The issue was described as an error in the way IIS 6 handles semicolons in URLs.
But Microsoft's Christopher Budd explained on the company's Security Response Center blog that the issue is a IIS configuration error that could lead to a vulnerable system. The out-of-the-box, default configuration will not enable an attacker to bypass content filtering software to upload malicious code on the Microsoft Web server.
"This is not the default configuration for IIS and is contrary to all of our published best practices," Budd wrote. "Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."
Budd added that users of IIS with both "write" and "execute" privileges on the same directory should review best practices and make changes to mitigate similar threats to the Web server.