Microsoft Rushes Out Patch to IIS Exploit

The FTP server opens a hole that could lead to administrator compromise.

 By Stuart J. Johnston
Page of   |  Back to Page 1
Print Article

Microsoft sent out a Security Advisory late Tuesday warning users of a critical zero-day flaw in older versions of its Internet Information Services (IIS) Web server software.

Although Microsoft said in the advisory that to date it knows of no active attacks in the wild, the company said it has seen "detailed exploit code published on the Internet."

"We're currently investigating the issue as part of our Software Security Incident Response Process and working to develop a security update … 'which' will be released once it reaches an appropriate level of quality for broad distribution," Alan Wallace, senior communications manager, said in a posting on the Microsoft Security Response Center blog.

Tuesday's advisory warns users about a hole in the file transfer protocol (FTP) functions of IIS 5.0, 5.1, and 6.0. Using the FTP service to retrieve files from a server by typing at the command-line prompt is a popular method for more technical users to handle files stored on Web servers.

Later versions of IIS -- specifically, IIS 7.0 and 7.5 -- are not affected, according to the advisory. The affected versions of IIS came with Windows 2000 Service Pack 4 (SP4), Windows XP SP2 and SP3, and Windows Server 2003 SP2, including both 32-bit and 64-bit editions. Windows 7 and Windows Server 2008 are not affected.

The company has published a workaround and is working on a security patch. Read the rest at InternetNews.com.

This article was originally published on Sep 2, 2009
Get the Latest Scoop with Networking Update Newsletter