Microsoft sent out a Security Advisory late Tuesday warning users of a critical
zero-day flaw in older versions of its Internet Information Services (IIS) Web server
Although Microsoft said in the advisory that to date it knows of no active attacks in
the wild, the company said it has seen “detailed exploit code published on the
“We’re currently investigating the issue as part of our Software Security Incident
Response Process and working to develop a security update … ‘which’ will be
released once it reaches an appropriate level of quality for broad distribution,” Alan
Wallace, senior communications manager, said in a
posting on the Microsoft Security Response Center blog.
Tuesday’s advisory warns users about a hole in the file transfer protocol (FTP)
functions of IIS 5.0, 5.1, and 6.0. Using the FTP service to retrieve files from a server
by typing at the command-line prompt is a popular method for more technical users to
handle files stored on Web servers.
Later versions of IIS — specifically, IIS 7.0 and 7.5 — are not affected, according
to the advisory. The affected versions of IIS came with Windows 2000 Service Pack 4
(SP4), Windows XP SP2 and SP3, and Windows Server 2003 SP2, including both 32-bit and
64-bit editions. Windows 7 and Windows Server 2008 are not affected.