MS dismisses IIS zero-day bug reports
It ain't vulnerable, just 'inconsistent'
Posted in Enterprise Security, 30th December 2009 13:15 GMT
Free whitepaper – Solid State Drives and High-Speed Memory
Microsoft has dismissed reports that there's an unpatched critical flaw in the latest version of its webserver software.
The software giant accepts there is an "inconsistency" in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly before Xmas. Redmond said fears that the bug allows hackers to circumvent content filtering software in order to upload and execute code on an IIS server are misplaced.
This scenario would only work if IIS web servers were set up to allow both "write" and "execute" privileges from the same directory, something that would make a system vulnerable in the first place and isn't established even in default configurations, Microsoft states. The software giant has promised to make changes to purge the inconsistent behaviour from IIS 6.
Microsoft's nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here. ®
Free whitepaper – Ensuring service assurance in the new normal
The Register Guide to Extended Validation
The Evolving Security Landscape
The Impact of IT Security Attitudes
Risk and Resilience
Linux on the Desktop
