Microsoft investigates security hole in IIS
By Microsoft Subnet on Tue, 05/19/09 - 11:27am.Microsoft late yesterday issued a security advisory (971492) about a publicly reported vulnerability in IIS versions 5, 5.1 and 6.0 that could allow an attacker to elevate privileges. The vulnerability is an IIS authentication bypass but it currently requires a narrow configuration, the company says. Microsoft is currently investigating the vulnerability to see if other configurations could be successfully targeted.
The hole can currently only work if your web server meets all of the following criteria:
- IF an IIS 5, 5.1, or 6.0 webserver is running with WebDAV enabled;
- AND the IIS server is using IIS permissions to restrict a subfolder of content to authenticated users;
- AND file system access is granted for the restricted content to the IUSR_[MachineName] account;
- AND a parent folder of the private subfolder allows anonymous access;
THEN an anonymous remote user may be able to leverage this vulnerability to access files that normally would only be served to authenticated webserver users.
Microsoft says it has not seen exploits of the vulnerability in the wild. It has not issued a patch, but has spelled out a number of workarounds, most of which involve modifying one or more of the configuration settings in the above list.
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
May Patch Tuesday: One critical patch for PowerPoint
Windows 7 and WS2008 R2 ship date: holiday '09
CIOs seem to love VMware over Hyper-V
Using offshore certified Microsoft partners? Beware of security holes
Meet me in … a Meeting Workspace: Tips and Best Practices
Microsoft OpsMgr R2 release candidate available, will ship end of June
12 killer freebie SharePoint add-ons
Cloud computing is cheaper, greener but not yet enterprise ready
.Net Services: Microsoft's key to cloud security and Java interoperabilityFollow Microsoft Subnet on Twitter
- About The Microsoft Update
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at jbort@nww.com, 970-482-6454 or follow Julie on Twitter @Julie188.The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited
Most Discussed Posts
- Blog Roll
-
- Microsoft Subnet Home Page
- http://www.networkworld.com/subnets/microsoft/
- All Microsoft Subnet bloggers
- http://www.networkworld.com/community/blogs/microsoft/feed
- ActiveWin
- http://www.activewin.com
- Blake Handler The Road to Know Where
- http://bhandler.spaces.live.com/
- Dmitry's PowerBlog
- http://dmitrysotnikov.wordpress.com/
- Doug Brown,DABCC
- http://www.dabcc.com
- Ed Bott's Windows Expertise
- http://www.edbott.com/weblog/
- Joseph Tartakoff Microsoft Blog
- http://blog.seattlepi.nwsource.com/microsoft/
- Long Zheng istartedsomething
- http://www.istartedsomething.com/
- Mini-Microsoft
- http://minimsft.blogspot.com/
- Paul Thurrott's Supersite for Windows
- http://www.winsupersite.com
- Robert McLaws WindowsNow
- http://www.windows-now.com
- Scobleizer
- http://scobleizer.com/
- Techmeme
- http://www.techmeme.com/
- Todd Bishop's Microsoft Blog
- http://www.techflash.com/Microsoft
-
Network World, Inc
The Connected Enterprise