Microsoft denies IIS vulnerability claims

The software giant says it has investigated claims of a flaw in Internet Information Services 6, but has found 'no vulnerability'

Microsoft has denied claims of a new vulnerability in Internet Information Services 6, putting the blame on poorly configured web servers.

In a blog post on Tuesday, the company said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content-filtering software to upload and execute code on an IIS server. The company found "no vulnerability" in IIS.

Security researcher Soroush Dalili highlighted the issue on Christmas Day in a paper released via his website, describing the impact as "highly critical for web applications".

For more on this story, see Microsoft debunks IIS vulnerability claims on ZDNet Asia.