MS dismisses IIS zero-day bug reports
It ain't vulnerable, just 'inconsistent'
Microsoft has dismissed reports that there's an unpatched critical flaw in the latest version of its webserver software.
The software giant accepts there is an "inconsistency" in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly before Xmas. Redmond said fears that the bug allows hackers to circumvent content filtering software in order to upload and execute code on an IIS server are misplaced.
This scenario would only work if IIS web servers were set up to allow both "write" and "execute" privileges from the same directory, something that would make a system vulnerable in the first place and isn't established even in default configurations, Microsoft states. The software giant has promised to make changes to purge the inconsistent behaviour from IIS 6.
Microsoft's nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here. ®