• On MovieTome: The 10 worst movies of 2009 so far!
May 18, 2009 7:52 PM PDT

Microsoft warns of new server vulnerability

by Ina Fried
  • Font size
  • Print
  • 12 comments
Share

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."

The company said that a flaw exists in a certain type of Web serving operation.

"An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests," Microsoft said. "An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft said it is not aware of attacks using the vulnerability. The company said it may provide an update as part of its monthly Patch Tuesday or, depending on the severity, could provide a fix outside of its monthly patching schedule.

In the meantime, the company listed on its Web site certain configuration settings that can help mitigate the impact of the flaw.

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft. E-mail Ina.
Topics:

Enterprise software

Tags:

Microsoft,

software,

vulnerability,

server

Share:
Digg
Del.icio.us
Reddit
Recent posts from Beyond Binary
Microsoft labs tests a Wikipedia of average Joes
Windows 7 family pack starting to sell out
Behind last night's Bing outage
Microsoft's Bing goes down
Bing's iPhone plans (and more)
Microsoft's Mehdi on financial impact of Yahoo deal
Microsoft: November security updates are fine
Using tunes to tout Windows 7
Related
Microsoft patches critical hole in Windows kernel
Microsoft to plug critical IE hole targeted by exploit code
Microsoft patching zero-day Windows 7 SMB hole
Microsoft probing Windows 7 zero-day hole
Apple plugs holes for domain spoofing, other attacks
Browser security features compared
Microsoft warns of IE exploit code in the wild
Jailbroken iPhone? SSH installed? Beware of worms!
Add a Comment (Log in or register) (12 Comments)
  • prev
  • 1
  • next
by monkeyfun14 May 18, 2009 8:17 PM PDT
Why the hell mention a vulnerability that no one is exploiting before you have a patch to fix it.
Reply to this comment
by boyd087 May 18, 2009 8:41 PM PDT
Why not? If the vulnerability has been publicized to any extent, then it's worthwhile to spread the word so that system administrators about a potential vulnerability and ways to mitigate risk. Instead of waiting for an exploit that uses a vulnerability, be proactive.

On the other hand, I would think/hope that this vulnerability would not impact most IIS configurations. Generally, it's probably good form to keep file system ACLs enforced and limit the IIS anonymous user account to read-only access on the IIS folder structure. Are there any major web applications that live on IIS that require this (and I'm asking because I'm not sure)? Additionally, there are probably a lot of IIS servers out there that don't even have WebDAV turned on. Also, it looks like IIS7 (Server 2008/Vista) isn't affected.
by johnwbaxter--2008 May 18, 2009 8:36 PM PDT
How could there possibly be a vulnerability in IIS!? There must be some mistake.
Reply to this comment
by dhavleak May 19, 2009 12:05 AM PDT
Not sure what you're implying there.
by slickuser May 18, 2009 9:37 PM PDT
keep them coming!
Reply to this comment
by Outside_Looking_In May 18, 2009 10:06 PM PDT
Oh, no! Not another vulnerability in another Microsoft product! It's all lies! All lies I tell you!
Reply to this comment
by Angmarr May 18, 2009 10:09 PM PDT
very informative
Reply to this comment
by The_happy_switcher May 18, 2009 10:48 PM PDT
Wow, and it's not even Tuesday yet.
Reply to this comment
by gertruded May 19, 2009 4:01 AM PDT
It must be some mistake, there has already been one hole revealed today. Isn't Windows wonderful?
Reply to this comment
by wolivere May 19, 2009 4:48 AM PDT
All OS's have them, http://www.ubuntu.com/usn
by 3rdalbum May 19, 2009 4:58 AM PDT
I'll buck the trend and say good on Microsoft for issuing a timely security advisory before anyone is affected by the problem.
Reply to this comment
by ExWinUser May 19, 2009 7:14 AM PDT
Now my Microsoft Certifications are worthless again!
Reply to this comment
(12 Comments)
  • prev
  • 1
  • next
advertisement

The yogurt makers of tech: Gadgets to avoid

Don't buy these one-trick ponies--unless you like gizmos that gather dust.

Google wants to unclog Net's DNS plumbing

The Net giant, ever eager for a faster Internet, debuts its Google Public DNS service. With it, Google could become even more central to the Net.

About Beyond Binary

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft.


Beyond Binary is a look at how technology is changing our lives and the people behind all that life-changing stuff, with an extra emphasis on that which emanates from Redmond, Wash.

Add this feed to your online news reader

Beyond Binary topics

Binary Bits

    Follow Ina on Twitter (Twitter name: InaFried)
    advertisement
    advertisement

    Inside CNET News

    Scroll Left Scroll Right
    News
    News site map
    Latest headlines
    Contact News
    News staff
    Corrections
    CNET blogs
    Popular topics
    Apple iPhone
    Apple iPod
    Cell phones
    Dell
    GPS
    LCD TV
    CNET sites
    CNET Site map
    CNET TV
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    CNET Mobile
    Customer Help Center
    RSS
    CNET Widgets
    About CNET