Microsoft debunks IIS vulnerability claims

Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.

Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.

In a blog post on Tuesday, the company said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content-filtering software to upload and execute code on an IIS server. The company found "no vulnerability" in IIS.

Security researcher Soroush Dalili highlighted the issue on Christmas Day in a research paper released via his website, describing the impact as "highly critical for web applications".

For more on this story, read "Microsoft debunks IIS vulnerability claims" on ZDNet Asia.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All