Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Pressure increasing for Microsoft to patch IIS 0 day - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Pressure increasing for Microsoft to patch IIS 0 day

The other day ISC Handler Guy Bruneau posted a Diary pointing to a "Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug). Secunia has confirmed the vulnerability "on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected". It should be mentioned that if you don't think you're vulnerable because you are running a non-vulnerable version of IIS, the vulnerable functionality may have been made available by your webmaster when deploying IIS.

After reading up on related posts and IIS issues, the nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts.

No response yet from Microsoft that I see, I would expect significant customer pressure is on Microsoft to correct this vulnerability in the January patch cycle.

Patrick

193 Posts
Once again:
Microsoft has resonded already:
http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
Anonymous
McAfee Intrushield

Signature:
UDS-HTTP: Microsoft IIS Multiple Extension Processing Security Bypass Vulnerability
Signature identifier:
0x40274500
Release date:
12/24/2009
First released in:
UDS
Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!