Microsoft debunks IIS vulnerability claims

Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.

Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.

In a blog post on Tuesday, the company said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content-filtering software to upload and execute code on an IIS server. The company found "no vulnerability" in IIS.

Security researcher Soroush Dalili highlighted the issue on Christmas Day in a research paper released via his website, describing the impact as "highly critical for web applications".

For more on this story, read "Microsoft debunks IIS vulnerability claims" on ZDNet Asia.