Windows 7: Results of Investigation into Holiday IIS Claim.

JMH · 30 Dec 2009

Quote:

We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.
What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

Source -
The Microsoft Security Response Center (MSRC) : Results of Investigation into Holiday IIS Claim

reghakr · 30 Dec 2009

UPDATE............again

Administrators following secure configuration best practices should not be at risk to a new, zero-day vulnerability in Microsoft’s Internet Information Services (IIS), according to the software giant. A senior security program manager at Microsoft said Sunday night in a blog post that the company is investigating reports of a flaw in the IIS web server but is unaware of any active attacks. He said that for an attack to occur, IIS must be in a “nondefault, unsafe configuration,” and anintruder would have to be authenticated with privileges to execute commands that do not
comply with Microsoft guidance. “Customers using out-of-the-box configurationsand who follow security best practices are at reduced risk of being impacted by issues like this,” he said. A handler posting on the SANS Internet Storm Center site said Sunday that administrators still must be careful because they could unknowingly be running a vulnerable web server due to a webmaster’s mistake.

More.........
Source: New IIS flaw deemed low risk in proper configurations - SC Magazine US

Windows 7: Results of Investigation into Holiday IIS Claim.

Results of Investigation into Holiday IIS Claim. problems?