Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Microsoft confirms 0-Day IIS security vulnerability

29 Dec 2009   #1
reghakr

Windows 7 Pro & Vista Home Premium
 
 
Microsoft confirms 0-Day IIS security vulnerability

Microsoft has confirmed officially a zero-day security vulnerability affecting Internet Information Services (IIS). The security hole was initially reported just ahead of Christmas on December 23rd, and the Redmond company provided the first response at the end of the past week. So far, the issue in question affects version 6 of IIS on a fully patched Windows Server 2003 R2 SP2; however, additional IIS
releases might also be impacted. A Microsoft security program manager notes that

Microsoft is aware of the problem and that investigation into the matter has already been kicked off. At the same time, the program manager assured customers running IIS that it hasn’t detected any active attacks in the wild targeting the new 0-day flaw.

The vulnerability identified in Microsoft Internet Information Services (IIS) involves the incorrect manner in which the server deals with files with multiple extensions. As long as the multiple extensions are divided by the “;” character, the IIS server handles them as ASP files.

A possible attacks scenario could be based on an exploit constructed out of malformed executables. Any malicious files uploaded to a vulnerable web server would circumvent any file extension protections and restrictions in place.

More/.........Microsoft Confirms 0-Day IIS Security Vulnerability - IIS 6.0 Security Best Practices can help mitigate the threat - Softpedia


My System SpecsSystem Spec
.
29 Dec 2009   #2
Corrine

Windows 7 & Windows Vista Ultimate
 
 

Update:
Quote:
We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.

What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.
See the complete report at The Microsoft Security Response Center (MSRC) : Results of Investigation into Holiday IIS Claim
My System SpecsSystem Spec
30 Dec 2009   #3
richc46

Microsoft Community Contributor Award Recipient

Windows 10, Home Clean Install
 
 

Quote   Quote: Originally Posted by Corrine MVP View Post
Update:
Quote:
We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.

What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.
See the complete report at The Microsoft Security Response Center (MSRC) : Results of Investigation into Holiday IIS Claim
Excellent advice, Corrine, as always.
My System SpecsSystem Spec
.

Reply

 Microsoft confirms 0-Day IIS security vulnerability




Thread Tools




Similar help and support threads
Thread Forum
Microsoft Confirms Attacks Targeting Critical ASP.NET Vulnerability
More - Microsoft Confirms Attacks Targeting Critical ASP.NET Vulnerability - Softpedia
News
Microsoft confirms XP zero-day exploit.
For those of us that still use or have XP loaded... Hackers exploit Windows XP zero-day, Microsoft confirms Source Hackers exploit Windows XP zero-day, Microsoft confirms - Computerworld Tool/fix provided - Microsoft Fix It
News
Microsoft Confirms x64 Windows 7 Aero Vulnerability
Source - Microsoft Confirms x64 Windows 7 Aero Vulnerability - In the Windows Canonical Display Driver - Softpedia
News
Microsoft Confirms Attacks Targeting Critical 0-Day Office Excel Vulnerability
more: Softpedia
Microsoft Office


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 15:39.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App