/>
X

Microsoft confirms server vulnerability warning

Microsoft has activated its security response process to deal with the release of a exploit code targeting an unpatched vulnerability affecting IIS 5.0 through 6.
ryan-naraine.jpg
Written by Ryan Naraine on

Microsoft has activated its security response process to deal with the release of a exploit code targeting an unpatched vulnerability affecting IIS 5.0 through 6.0.

The company released a formal pre-patch advisory to acknowledge the vulnerability and offer mitigation guidance for customers.

Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports.

Affected Software:

  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 6.0

Microsoft's advisory comes just days after a hacker known as "Kingcope" published details of the vulnerability (.PDF) on several mailing lists.

Thierry Zoller has been maintaining detailed notes on this issue:

  1. Webdav is not enabled by default on IIS6, IIS7 + Webdav is not affected
  2. IIS 5 and IIS 5.1 are also affected.
  3. Enabling Webdav applies to all websites and doesn't have to be enabled per site.
  4. You can actually upload content to the web server, if the IUSR_anonymous has write access to webdav folders. (To any other folder if the account has write access to other folders)
  5. This seems to have a similar (root cause) then the 2001 Unicode IIS4/5 bug , but not exactly the same
  6. "Translate:f" is required for GET requests, PROPFIND works without the translate option.

Related

Apple politely explains why iPhone cases are a waste of money
Apple iPhone 13 Pro Max

Apple politely explains why iPhone cases are a waste of money

Apple
The 8 best iPhone models of 2022
iphone-12-models.png

The 8 best iPhone models of 2022

iPhone
Delta Air Lines just made a callous admission that customers may find galling
screen-shot-2022-07-18-at-5-18-46-pm.png

Delta Air Lines just made a callous admission that customers may find galling

Business