Microsoft IIS vuln played no role in server breach, uni says
No in-the-wild attacks reported
Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver.
"Microsoft and Ball State now have identified the cause of the breach [as] a Ball State iWeb user [who] either misused or allowed the misuse of their account, and that was determined just this afternoon," Ball State University spokesman Tony Proudfoot said on Thursday.
The account corrects an advisory campus officials issued Tuesday that claimed the breach was the result of someone targeting a vulnerability in versions 5 and 6 of IIS that allows attackers to list, access, and in some cases upload files in a password-protected folders of vulnerable machines. The vulnerability exists when IIS uses the WebDAV protocol. The advisory was featured prominently on the university's website.
"Initially, both Microsoft and Ball State suspected the intruder used the WebDAV vulnerability that was made public by Microsoft on May 15," Proudfoot said.
Microsoft has said it is unaware of any attacks that target the vulnerability. ®