republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > [MS DENIAL] Microsoft IIS 0-Day Vulnerability Parsing Files

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
AuthorAll Replies


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

reply to Smokey Bear

Re: [CONFIRMED] Microsoft IIS 0-Day Vulnerability Parsing Files

New Reports of a Vulnerability in IIS
Posted Sunday, December 27, 2009 5:33 PM by MSRC TEAM

On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this.

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities as we believe reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I want to close by providing some resources and best practices for securely configuring IIS servers:

IIS 6.0 Security Best Practices
»technet.microsoft.com/en-us/libr···10).aspx

Securing Sites with Web Site Permissions
»technet.microsoft.com/en-us/libr···10).aspx

IIS 6.0 Operations Guide
»technet.microsoft.com/en-us/libr···10).aspx

Improving Web Application Security: Threats and Countermeasures
»msdn.microsoft.com/en-us/library···921.aspx

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*
»blogs.technet.com/msrc/archive/2···iis.aspx
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
*OTL (formerly OTListIt2) by OldTimer - A sophisticated, comprehensive log analysis tool to clean PCs with malicious content*
to forum · permalink · 2009-12-28 07:01:35 ·


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
1 edit

Thanks for this, Smokey Bear See Profile

to forum · permalink · 2009-12-28 18:19:55 ·


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

As usual, you're welcome siljaline See Profile

to forum · permalink · 2009-12-28 18:28:00 ·


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

Greets
to forum · permalink · 2009-12-28 18:33:23 ·
Forums > Broadband Tech > Security > Security

Sunday, 03-Jun 08:52:02 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics