• On The Insider: Britney's Bikini-Clad Top 10
May 18, 2009 7:52 PM PDT

Microsoft warns of new server vulnerability

by Ina Fried
  • Font size
  • Print
  • 12 comments

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."

The company said that a flaw exists in a certain type of Web serving operation.

"An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests," Microsoft said. "An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft said it is not aware of attacks using the vulnerability. The company said it may provide an update as part of its monthly Patch Tuesday or, depending on the severity, could provide a fix outside of its monthly patching schedule.

In the meantime, the company listed on its Web site certain configuration settings that can help mitigate the impact of the flaw.

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft. E-mail Ina.
Topics:

Enterprise software

Tags:

Microsoft,

software,

vulnerability,

server

Share:
Digg
Del.icio.us
Reddit
Recent posts from Beyond Binary
Microsoft investigating 'black screen of death'
Windows 8 in 2012?
Sinofsky's Windows plan: More data, less testosterone
Ballmer: Windows 7 selling like hotcakes
Windows boss on building his first laptop
Livescribe pen gets an app store
Office 2010 beta goes public
Windows Azure containers on display in LA
Related
Microsoft patches critical hole in Windows kernel
Microsoft patching zero-day Windows 7 SMB hole
Phishing, worms spike this year, say Microsoft and McAfee
Microsoft probing Windows 7 zero-day hole
Apple plugs holes for domain spoofing, other attacks
Browser security features compared
Microsoft warns of IE exploit code in the wild
Microsoft to fix holes in Windows, Office
Add a Comment (Log in or register) (12 Comments)
  • prev
  • 1
  • next
by monkeyfun14 May 18, 2009 8:17 PM PDT
Why the hell mention a vulnerability that no one is exploiting before you have a patch to fix it.
Reply to this comment
by boyd087 May 18, 2009 8:41 PM PDT
Why not? If the vulnerability has been publicized to any extent, then it's worthwhile to spread the word so that system administrators about a potential vulnerability and ways to mitigate risk. Instead of waiting for an exploit that uses a vulnerability, be proactive.

On the other hand, I would think/hope that this vulnerability would not impact most IIS configurations. Generally, it's probably good form to keep file system ACLs enforced and limit the IIS anonymous user account to read-only access on the IIS folder structure. Are there any major web applications that live on IIS that require this (and I'm asking because I'm not sure)? Additionally, there are probably a lot of IIS servers out there that don't even have WebDAV turned on. Also, it looks like IIS7 (Server 2008/Vista) isn't affected.
by johnwbaxter--2008 May 18, 2009 8:36 PM PDT
How could there possibly be a vulnerability in IIS!? There must be some mistake.
Reply to this comment
by dhavleak May 19, 2009 12:05 AM PDT
Not sure what you're implying there.
by slickuser May 18, 2009 9:37 PM PDT
keep them coming!
Reply to this comment
by Outside_Looking_In May 18, 2009 10:06 PM PDT
Oh, no! Not another vulnerability in another Microsoft product! It's all lies! All lies I tell you!
Reply to this comment
by Angmarr May 18, 2009 10:09 PM PDT
very informative
Reply to this comment
by The_happy_switcher May 18, 2009 10:48 PM PDT
Wow, and it's not even Tuesday yet.
Reply to this comment
by gertruded May 19, 2009 4:01 AM PDT
It must be some mistake, there has already been one hole revealed today. Isn't Windows wonderful?
Reply to this comment
by wolivere May 19, 2009 4:48 AM PDT
All OS's have them, http://www.ubuntu.com/usn
by 3rdalbum May 19, 2009 4:58 AM PDT
I'll buck the trend and say good on Microsoft for issuing a timely security advisory before anyone is affected by the problem.
Reply to this comment
by ExWinUser May 19, 2009 7:14 AM PDT
Now my Microsoft Certifications are worthless again!
Reply to this comment
(12 Comments)
  • prev
  • 1
  • next
advertisement

S.F. hacker space: Heaven for the DIY set?

The Noisebridge hacker space offers sewing and Mandarin classes, soldering workshops, Internet-controlled front door access, and a server room with no door.
• Photos: Circuits, code, community

The browser battles go on and on

roundup From Firefox to IE and from Chrome to Opera and Safari, there's no sitting still for browser makers looking to keep their products fresh and competitive.

About Beyond Binary

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft.


Beyond Binary is a look at how technology is changing our lives and the people behind all that life-changing stuff, with an extra emphasis on that which emanates from Redmond, Wash.

Add this feed to your online news reader

Beyond Binary topics

Binary Bits

    Follow Ina on Twitter (Twitter name: InaFried)
    advertisement
    advertisement
    Click Here

    Inside CNET News

    Scroll Left Scroll Right
    News
    News site map
    Latest headlines
    Contact News
    News staff
    Corrections
    CNET blogs
    Popular topics
    Apple iPhone
    Apple iPod
    Cell phones
    Dell
    GPS
    LCD TV
    CNET sites
    CNET Site map
    CNET TV
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    CNET Mobile
    Customer Help Center
    RSS
    CNET Widgets
    About CNET