Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Bulletin MS06-053

Published: 2006-09-12
Last Updated: 2006-09-12 19:29:06 UTC
by Michael Haisley (Version: 1)
0 comment(s)
There is an information disclosure vulnerability in the Indexing Service because of the way that it handles query validation. The vulnerability could allow an attacker to run client-side script on behalf of a user. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.

Mitigating Factors:
By default, Internet Information Services (IIS) is not installed on Windows XP or on Windows Server 2003.

On Windows Server 2003, the Indexing Service is not enabled by default.

On Windows Server 2003, even when the Indexing Service is installed, by default it is not accessible from IIS. Manual steps are required to enable IIS to become a Web-based interface for the Indexing Service. By default the Indexing Service is used only to perform local and remote file system queries.

Recommendations: Evaluate urgency based on your installation, and apply the patch.
Keywords:
0 comment(s)
Diary Archives