Microsoft warns of new server vulnerability

Ina Fried CNET News | May 19, 2009 5:29 AM PDT

Summary

Microsoft said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS).

Topics

Vulnerability, Server, Microsoft Corp., Microsoft IIS Server, Security, Microsoft, servers, fulnerability, patch, Ina Fried CNET News

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late on Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."

The company said that a flaw exists in a certain type of web-serving operation.

"An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests," Microsoft said. "An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft said it is not aware of attacks using the vulnerability. The company said it may provide an update as part of its monthly Patch Tuesday or, depending on the severity, could provide a fix outside its monthly patching schedule.

In the meantime, the company listed on its website certain configuration settings that can help mitigate the impact of the flaw.

This article was originally posted on CNET News.

Talkback Most Recent of 13 Talkback(s)

Follow via:: RSS; Email Alert

Oh gawd, say it isn't so.

There is no way in the world I believe this c.r.a.p.

Microsoft is the bestest software developing company in the world. Take for insance it's Intertwined Exploiter. jus kidding

I read this story elsewhere yesterday & Microsoft denied the exploit. Quick turn-a-round on this one.
Intellihence
19th May 2009
- Reply to
- Flag
Because Apache never has any vulnerabilities:

http://httpd.apache.org/security/vulnerabilities_22.html

http://httpd.apache.org/security/vulnerabilities_20.html

http://httpd.apache.org/security/vulnerabilities_13.html
ye
19th May 2009
- Reply to
- Flag
....

Where did the OP mentioned Apache?

^o^
n0neXn0ne
19th May 2009
- Flag
I agree. I had a web site attempt to

download a virus onto my computer. I was surprised that it was Apache based running on Linux.

Cannot they take a lesson from Microsoft and make their software more secure?
GuidingLight
19th May 2009
- Reply to
- Flag
Both Apache and IIS are pretty secure

Very few actual vulneralities are found in any of the products. I would wager a bet that 99.999% of successful attacks from the latest years were through the application layer or a misconfiguration.
honeymonster
19th May 2009
- Reply to
- Flag
I agree with you.

My response was to be of Intellihence's post
(Where only Microsoft software has problems, everyone else's is 100 percent perfect) but I pressed the wrong button, replied to Story, not Message.

But that was my point: there is nothing perfect, and many problems will be found with all software over time.
GuidingLight
19th May 2009
- Flag
re: I agree with you.

"...(Where only Microsoft software has problems, everyone else's is 100 percent perfect )
...
But that was my point: there is nothing perfect ,..."

You build up a straw man only to knock him down, eh?

^o^
n0neXn0ne
19th May 2009
- Flag
More info

IIS7 (distributed with Server 2008) is not affected.

IIS6 (distributed with Server 2003) is not affected in its default configuration. It is only affected if WebDa has been installedand configured.

The vulnerability allows the attacker to bypass security mechanisms and access otherwise protected resources as anonymous user. As this uer by default does not have write access the attacker will not be able to write files on the server, unless the admin has granted rights to anonymous (which would be really stupid).

It is unclear if the attacker can execute e.g. aspx pages or merely read files.

In the first case it could be really bad for a lot of sites, as pages typically do allow users to change something.

In the latter case the attacker may be able to snoop on configuration files. Which may also be bad if he can learn SQL server passwords etc. that way (ASP.NET allows the "connection string" section to be encrypted as a production best practice which would mitigate this).
honeymonster
19th May 2009
- Reply to
- Flag
Typical MS-like response

Instead of dealing with the issue they ignore the problem while trying to direct criticism onto others.
MyMac
19th May 2009
- Reply to
- Flag
How are they ignoring the issue? (nt)

.
ye
19th May 2009
- Reply to
- Flag
typical uninformed moron.....

the only thing Microsoft hasn't done is issue a patch. Which they are developing and TESTING now.

This issue doesn't effect default installations of IIS, and unless anonymous has write access the issue is mute anyway.

try enabling anonymous write access on any internet application and see what happens.

Idiot.
JoeMama_z
19th May 2009
- Reply to
- Flag
Unfortunate, but true...

I'd be the first to knock M$ if this was anything important to scorn. But it's just a patch and letting people know is a good thing. If we're going to criticize something from M$, we have to at least sound level headed and impartial.

(Even if they are a bunch of doo-doo heads!)
Socratesfoot
19th May 2009
- Flag
Where is the infamous Loverock????

=/
Parassassin
20th May 2009
- Reply to
- Flag