14 DAY TRIAL // After it confirmed that it was investigating reports in the wild of a zero-day(0-day) security hole affecting Internet Information Services (IIS), Microsoft is now saying that it wrapped up the investigation and that no vulnerability was found. Instead of the alleged security vulnerability, the Redmond company noted that it could only confirm the existence of an inconsistency and nothing else, according to Christopher Budd, security response communications lead for Microsoft.
“What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server,” revealed Budd.
The Redmond company explains that the problem detected in combination with insecure IIS configurations allows potential attackers to build exploits from malicious executables put together out of files with multiple extension, which are handled as ASP files by IIS server. “For the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack,” Budd added.
Microsoft notes that customers running IIS 6.0 in the default configuration and that have taken the necessary steps to secure their environments by following the company’s best practices, have nothing to worry about. IIS 6.0 in its default configuration is not affected by the problem erroneously reported as an IIS vulnerability.
“If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:
· IIS 6.0 Security Best Practices; · Securing Sites with Web Site Permissions; · IIS 6.0 Operations Guide; · Improving Web Application Security: Threats and Countermeasures ,” Budd stated.