Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: New Reports of a Vulnerability in IIS

27 Dec 2009   #1
SGT Oddball

New Reports of a Vulnerability in IIS

Hi everyone,

On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this.

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities as we believe reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I want to close by providing some resources and best practices for securely configuring IIS servers:

IIS 6.0 Security Best Practices

Securing Sites with Web Site Permissions

IIS 6.0 Operations Guide

Improving Web Application Security: Threats and Countermeasures


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*


My System SpecsSystem Spec

 New Reports of a Vulnerability in IIS

Thread Tools

Similar help and support threads
Thread Forum
Skype vulnerability?
This computer is making me paranoid. Same day I booted it up, after I got a message stating Windows failed to start with a detail of "Harddrive = 0", I surf the web and Skype out on it's own starts up. I even checked the settings and the "Start when Windows starts" was still unchecked. Even...
System Security
DIR 615 reports link at 300Mbps, windows reports 150Mbps
Hello there, Recently setup my home wifi network, i had been noticing that my link speed to any device through my Dlink DIR 615 router, was always 65Mbps (as reported by the device), i searched around that i should set the channel width to 'auto 20/40mhz' to gain speed; however now that i did...
Network & Sharing
administrative vulnerability
hi guys i need help fix dis problem is my computer at risck ?? also is there a way to fix dis problem?????
System Security
Vulnerability in Virtual PC?
New Windows vulnerability?
My mother just emailed me in a panic. She heard a rumor that the code for xp, vista, and seven was leaked and is now "public", so now all Windows pcs are suddenly vulnerable to attacks. Anybody heard any new rumors like this?
System Security
Microsoft reports attacks using IIS vulnerability
Microsoft reports attacks using IIS vulnerability Microsoft reports attacks using IIS vulnerability | Deep Tech - CNET News ~Lordbob

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 12:38.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App