Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.
In a blog post on Tuesday, the company said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content-filtering software to upload and execute code on an IIS server. The company found "no vulnerability" in IIS.
Security researcher Soroush Dalili highlighted the issue on Christmas Day in a paper released via his website, describing the impact as "highly critical for web applications".
For more on this story, see Microsoft debunks IIS vulnerability claims on ZDNet Asia.