Microsoft confirms IIS hole

December 29, 2009 – 5:46 AM

Microsoft has confirmed the security hole in its IIS web server, but hasn’t disclosed which versions of the product are affected. According to the finder of the “semi-colon bug”, versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft’s Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.

Source:
http://www.h-online.com/security/news/item/Microsoft-confirms-IIS-hole-893413.html

  1. One Response to “Microsoft confirms IIS hole”

  2. Results of Investigation into Holiday IIS Claim:

    http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx

    By manunkind on Dec 29, 2009

You must be logged in to post a comment.

Copyright 2008-2024 PC Sympathy - Entries (RSS) - Sitemap