Windows zero-day affects 600,000 older servers, but likely won't be patched

The security vulnerability is publicly exploitable, but Microsoft only fixes "currently supported versions."
Written by Zack Whittaker, Contributor

A previously-undisclosed security flaw in an older Windows web server won't be patched, despite hundreds of thousands of servers still running the outdated software.

The vulnerability in Windows Internet Information Services (IIS 6) web server has been remotely exploited since July last year, according to two security researchers at the South China University of Technology, who released a proof-of-concept exploit for the vulnerability on Github this week.

The affected version of IIS 6 was first released with Windows Server 2003, but it was no longer supported as of 2015.

Microsoft said as a result it likely won't fix the flaw.

"This issue does not affect currently supported versions," said a Microsoft spokesperson. "We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection."

More than 600,000 older IIS 6 servers are still in use, mostly in the US and China, according to a search on Shodan, a search engine for internet-connected devices.

In a blog post, Trend Micro researchers said that if successfully exploited, the vulnerability could lead to remote code execution, but even an unsuccessful attack may still lead to denial-of-service conditions.

The researchers said disabling WebDAV should mitigate the flaw. Or, of course, there's always the option of updating to a newer, more secure version of the software.

VIDEO: Microsoft Lumia smartphones are a hit with police patrols

Editorial standards