Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Pressure increasing for Microsoft to patch IIS 0 day - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Pressure increasing for Microsoft to patch IIS 0 day

The other day ISC Handler Guy Bruneau posted a Diary pointing to a "Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug). Secunia has confirmed the vulnerability "on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected". It should be mentioned that if you don't think you're vulnerable because you are running a non-vulnerable version of IIS, the vulnerable functionality may have been made available by your webmaster when deploying IIS.

After reading up on related posts and IIS issues, the nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts.

No response yet from Microsoft that I see, I would expect significant customer pressure is on Microsoft to correct this vulnerability in the January patch cycle.


193 Posts
Dec 27th 2009
Once again:
Microsoft has resonded already:
McAfee Intrushield

UDS-HTTP: Microsoft IIS Multiple Extension Processing Security Bypass Vulnerability
Signature identifier:
Release date:
First released in:

193 Posts

Sign Up for Free or Log In to start participating in the conversation!