Microsoft has confirmed officially a zero-day security vulnerability affecting Internet Information Services (IIS). The security hole was initially reported just ahead of Christmas on December 23rd, and the Redmond company provided the first response at the end of the past week. So far, the issue in question affects version 6 of IIS on a fully patched Windows Server 2003 R2 SP2; however, additional IIS releases might also be impacted. Jerry Bryant, Microsoft security program manager, notes that Microsoft is aware of the problem and that investigation into the matter has already been kicked off. At the same time, Bryant assured customers running IIS that it hasn’t detected any active attacks in the wild targeting the new 0-day flaw.

“Our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this,” Bryant explained.

The vulnerability identified in Microsoft Internet Information Services (IIS) involves the incorrect manner in which the server deals with files with multiple extensions. As long as the multiple extensions are divided by the ";" character, the IIS server handles them as ASP files. A possible attacks scenario could be based on an exploit constructed out of malformed executables. Any malicious files uploaded to a vulnerable web server would circumvent any file extension protections and restrictions in place.

“Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves,” Bryant added. “This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities as we believe reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

Microsoft is currently working on providing a patch, but for the time being, server administrators can make sure that their deployments respect the IIS 6.0 Security Best Practices provided by the company. Configuring a secure IIS server means that customers can at least mitigate the risk until a security update will be offered.