May 18, 2009 7:52 PM PDT

Microsoft warns of new server vulnerability

by Ina Fried
  • Font size
  • Print
  • 12 comments

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."

The company said that a flaw exists in a certain type of Web serving operation.

"An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests," Microsoft said. "An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft said it is not aware of attacks using the vulnerability. The company said it may provide an update as part of its monthly Patch Tuesday or, depending on the severity, could provide a fix outside of its monthly patching schedule.

In the meantime, the company listed on its Web site certain configuration settings that can help mitigate the impact of the flaw.

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft. E-mail Ina.
Topics:

Enterprise software

Tags:

Microsoft,

software,

vulnerability,

server

Share:
Digg
Del.icio.us
Reddit
Recent posts from Beyond Binary
Visual Studio launch delayed by 'a few weeks'
Glitches mar launch of Livescribe app store
Windows 7 leaving Redmond's help desk less busy
Microsoft top lawyer: EU deal opens new chapter
Microsoft: We did copy Plurk's code
Boeing's 787 takes flight
Hands-on with the Entourage Edge
Microsoft's server chief talks cloud (Q&A)
Related
Microsoft plugs zero-day IE hole
Firefox, Adobe top buggiest-software list
Symantec confirms zero-day Acrobat, Reader attack
Microsoft to plug critical IE hole targeted by exploit code
Amazon EC2 cloud service hit by botnet, outage
Adobe investigating Reader, Acrobat exploit reports
Web-based Lookout protects mobile devices, data
Firefox 3.5.6 patches critical security holes
Add a Comment (Log in or register) (12 Comments)
  • prev
  • 1
  • next
by monkeyfun14 May 18, 2009 8:17 PM PDT
Why the hell mention a vulnerability that no one is exploiting before you have a patch to fix it.
Reply to this comment
by boyd087 May 18, 2009 8:41 PM PDT
Why not? If the vulnerability has been publicized to any extent, then it's worthwhile to spread the word so that system administrators about a potential vulnerability and ways to mitigate risk. Instead of waiting for an exploit that uses a vulnerability, be proactive.

On the other hand, I would think/hope that this vulnerability would not impact most IIS configurations. Generally, it's probably good form to keep file system ACLs enforced and limit the IIS anonymous user account to read-only access on the IIS folder structure. Are there any major web applications that live on IIS that require this (and I'm asking because I'm not sure)? Additionally, there are probably a lot of IIS servers out there that don't even have WebDAV turned on. Also, it looks like IIS7 (Server 2008/Vista) isn't affected.
by johnwbaxter--2008 May 18, 2009 8:36 PM PDT
How could there possibly be a vulnerability in IIS!? There must be some mistake.
Reply to this comment
by dhavleak May 19, 2009 12:05 AM PDT
Not sure what you're implying there.
by slickuser May 18, 2009 9:37 PM PDT
keep them coming!
Reply to this comment
by Outside_Looking_In May 18, 2009 10:06 PM PDT
Oh, no! Not another vulnerability in another Microsoft product! It's all lies! All lies I tell you!
Reply to this comment
by Angmarr May 18, 2009 10:09 PM PDT
very informative
Reply to this comment
by The_happy_switcher May 18, 2009 10:48 PM PDT
Wow, and it's not even Tuesday yet.
Reply to this comment
by gertruded May 19, 2009 4:01 AM PDT
It must be some mistake, there has already been one hole revealed today. Isn't Windows wonderful?
Reply to this comment
by wolivere May 19, 2009 4:48 AM PDT
All OS's have them, http://www.ubuntu.com/usn
by 3rdalbum May 19, 2009 4:58 AM PDT
I'll buck the trend and say good on Microsoft for issuing a timely security advisory before anyone is affected by the problem.
Reply to this comment
by ExWinUser May 19, 2009 7:14 AM PDT
Now my Microsoft Certifications are worthless again!
Reply to this comment
(12 Comments)
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Beyond Binary

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft.


Beyond Binary is a look at how technology is changing our lives and the people behind all that life-changing stuff, with an extra emphasis on that which emanates from Redmond, Wash.

Add this feed to your online news reader

Beyond Binary topics

Binary Bits

    Follow Ina on Twitter (Twitter name: InaFried)
    advertisement
    advertisement

    Inside CNET News

    Scroll Left Scroll Right
    News
    News site map
    Latest headlines
    Contact News
    News staff
    Corrections
    CNET blogs
    Popular topics
    Apple iPhone
    Apple iPod
    Cell phones
    CES 2010
    GPS
    LCD TV
    CNET sites
    CNET Site map
    CNET TV
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    CNET Mobile
    Customer Help Center
    RSS
    CNET Widgets
    About CNET