This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files.
In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important.
In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don't know about any public exploits yet.
Microsoft's advisory is at http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx.
CVE at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0026.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS London July 2020
Jul 11th 2006
1 decade ago