Vulnerability in Microsoft’s IIS

There’s been a bit of a disagreement in the security community over how serious a recently discovered vulnerability in Microsoft’s Internet Information Services (IIS) really is. On one hand, the researcher who discovered the bug labeled it as “highly critical,” while at least one other security firm showed far less concern. So what does Microsoft have to say about all this?

“We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found there is no vulnerability in IIS,” Microsoft wrote in a blog post.

Confused? Microsoft did admit “that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs,” but said in order for an attacker to bypass content filtering software to upload and execute malicious code on an IIS server, it would have to already be configured to allow both “write” and “execute” privileges on the directory.

“This is not the default configuration for IIS and is contrary to all of our published best practices,” Microsoft added. “Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.”

via MaximumPC