Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The software giant said in an advisory that it was not aware of any attacks attempting to exploit the bug, which impacts IIS versions 5, 5.1 and 6. However, US-CERT revealed earlier this week that it was aware of publicly-available exploit code and active attacks.The exploit would work by a cybercriminal creating an anonymous but malicious HTTP request, which can take advantage of a vulnerability in the way the WebDAV (Web-based Distributed Authoring and Versioning) extension for IIS handles these requests. WebDAV is a set of HTTP extensions that permits users to manage files on web servers.Eric Schultze, CTO of Shavlik Technlogies, said the amount of access that the bug may grant an attacker depends on how the web server is configured and secured."In a default configuration -- and I would gather most installations -- this flaw might allow the attacker to read certain files on the web server but would not allow them to write any files," he said in a statement. "If the attacker is unable to write any files to the web server, it's far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server."In its advisory, Microsoft said a number of mitigating factors exist that would make it difficult to exploit the flaw, including enforcing file system ACLs (access control lists), denying write access by default to anonymous user accounts and not enabling by default WebDAV on IIS 6.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.