News Stay informed about the latest enterprise technology news and product updates.

Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability

Software giant dismisses the critical nature of the Internet Information Services zero-day flaw, but doesn't rule out an out-of-band patch.

To get security news and tips delivered to your inbox, click here to  sign up for our free newsletter.

Security researchers have discovered a Microsoft Internet Information Services (IIS) zero-day vulnerability that could be used by an attacker to upload malicious code on a Web server.

The vulnerability was acknowledged by Microsoft on Sunday. The IIS file parsing extension vulnerability can be executed by passing files with multiple extensions separated by a semi-colon. Proof-of-concept exploit code works on IIS 6 and prior versions, according to a report by Guy Bruneau of Ottawa, Canada-based security firm IPSS Inc. in the Sans Internet Storm Center Diary. 

Microsoft updates:

Dec. - Microsoft gives Internet Explorer a major security overhaul: The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November.

Nov. -  Microsoft patches serious Windows kernel flaws: Vulnerabilities in several Windows kernel drivers could be remotely exploited to gain complete access to a system.

Microsoft security program manager Jerry Bryant dismissed the critical nature of the IIS 6.0 vulnerability. In a Microsoft Security Response Center (MSRC) blog entry, Bryant said the IIS Web server must be in a non-default, unsafe configuration in order to be vulnerable. Microsoft is also unaware of any active attacks targeting the vulnerability, he said.

"An attacker would have to be authenticated and have write access to a directory on the Web server with execute permissions, which does not align with best practices or guidance Microsoft provides for secure server configuration," Bryant said.

Danish vulnerability clearinghouse Secunia gave the vulnerability a less critical rating. In its advisory, Secunia credits researcher Soroush Dalili with discovering the IIS vulnerability. As a workaround until a patch is released, administrators can restrict file uploads to trusted users or remote executables for upload directories, Secunia said. 

Bryant said the vulnerability was not responsibly disclosed. Microsoft engineers began researching the vulnerability when a new claim surfaced last week.

In September Microsoft issued an advisory acknowledging three FTP vulnerabilities in the IIS Web server that would have enabled an unauthenticated hacker to pull off a successful attack. IIS proof-of-concept code was publicly available for the vulnerability. Microsoft released a patch rated important in October repairing the IIS vulnerabilities in a record patching month.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.