Residing in the WebDAV extension

May 19, 2009 08:08 GMT  ·  By

Information on a new 0-day vulnerability affecting Microsoft server is available in the wild, the Redmond company has confirmed. The software giant has informed that it is investing public reports of a security hole in various versions of Internet Information Services (IIS). The Redmond company has published a preliminary view on the vulnerability which, in the eventuality of a successful exploit, could lead to information disclosure.

“Microsoft issued Security Advisory 971492 to address public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow elevation of privilege. At this time, Microsoft is not aware of any known attacks that attempt to use this vulnerability,” explained Christopher Budd, security response communications lead for Microsoft. “Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”

The vulnerability resides in the WebDAV extension, and is connected with the manner in which the IIS extension handles HTTP requests. Essentially, the security flaw could allow a potential attacker to virtually bypass IIS authentication. As long as WebDAV is not running on IIS, customers are safe, Microsoft informs. In fact, this is also the simplest workaround for customers to protect their environments against exploits. Just switch off WebDAV.

Otherwise, IIS 5.0, IIS 5.1, and IIS 6.0 with WebDAV enabled are all vulnerable to exploits. “An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication,” Budd added.

Microsoft made it clear that Internet Information Services 7.0 was not affected by the vulnerability. “The most likely attack would be a malicious anonymous user requesting contents of a webserver subdirectory that uses IIS permission restricting access to only authenticated users. The root of the webserver would typically grant read access to the anonymous user account so this vulnerability would allow the protected subdirectories to be accessed using the permissions of the webserver root (allowing anonymous access),” added Jonathan Ness, MSRC Engineering.