Microsoft Warns of Vulnerability in IIS
In its recently issued security advisory, Microsoft alerts end-users about a security flaw found in its IIS 6 (Internet Information Services) software. The exploitation of the flaw could let a computer hacker invade a legitimate online site and steal sensitive information.
The flaw takes place in the way HTTP requests are handled. By setting up a malevolent HTTP request, a hacker could exploit the flaw and illegally access a computer connected to the Web. He could also use it to load malevolent files on the secured sections of the Web server.
Additionally, the zero-day flaw could do worse by enabling an attacker to access usernames and passwords of other people and logging into their online accounts. Subsequently, the stolen information could be employed to wage a new attack with which the attacker could completely compromise the server.
However, the security specialists said it is not possible to exploit the flaw for executing remote code something that lessens the flaw's potential severity.
Eric Schultze, Chief Technology Officer, Shivalik Technologies, said that had the flaw allowed execution of remote code, he would have been extremely concerned, as reported by CRN on May 19, 2009. Schultze added that the flaw let people view files on the server, but that could result in dangerous situations based on the type of content the maliciously intended person viewed.
Microsoft further said the flaw affects the previous IIS 5 and IIS 5.1 versions. The more recent IIS 7 that was introduced along with Windows Vista and is incorporated into Windows Server 2008 too is not vulnerable.
The software giant emphasized that no known incident of the flaw's exploitation has been found so far. However, security specialists speculated possible malicious activity associated with the flaw, which likely drove Microsoft to issue the security advisory.
Further, it deserves to be noted that on the day of the release of the advisory, US-CERT (US Computer Emergency Response Team) and security companies, including Cisco, had also alerted of the bug in IIS. According to the researchers, the bug could be exploited to upload as well as view files on Web servers.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 27-05-2009