The other day ISC Handler Guy Bruneau posted a Diary pointing to a "Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug). Secunia has confirmed the vulnerability "on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected". It should be mentioned that if you don't think you're vulnerable because you are running a non-vulnerable version of IIS, the vulnerable functionality may have been made available by your webmaster when deploying IIS. After reading up on related posts and IIS issues, the nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts. No response yet from Microsoft that I see, I would expect significant customer pressure is on Microsoft to correct this vulnerability in the January patch cycle. |
Patrick 193 Posts Dec 27th 2009 |
Thread locked Subscribe |
Dec 27th 2009 1 decade ago |
Once again:
Microsoft has resonded already: http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx |
Anonymous |
Quote |
Dec 28th 2009 1 decade ago |
McAfee Intrushield
Signature: UDS-HTTP: Microsoft IIS Multiple Extension Processing Security Bypass Vulnerability Signature identifier: 0x40274500 Release date: 12/24/2009 First released in: UDS |
Patrick 193 Posts |
Quote |
Dec 28th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!