Microsoft Rushes Out Patch to IIS Exploit
The FTP server opens a hole that could lead to administrator compromise.
Microsoft sent out a Security Advisory late Tuesday warning users of a critical zero-day flaw in older versions of its Internet Information Services (IIS) Web server software.
Although Microsoft said in the advisory that to date it knows of no active attacks in the wild, the company said it has seen "detailed exploit code published on the Internet."
"We're currently investigating the issue as part of our Software Security Incident Response Process and working to develop a security update 'which' will be released once it reaches an appropriate level of quality for broad distribution," Alan Wallace, senior communications manager, said in a posting on the Microsoft Security Response Center blog.
Later versions of IIS -- specifically, IIS 7.0 and 7.5 -- are not affected, according to the advisory. The affected versions of IIS came with Windows 2000 Service Pack 4 (SP4), Windows XP SP2 and SP3, and Windows Server 2003 SP2, including both 32-bit and 64-bit editions. Windows 7 and Windows Server 2008 are not affected.