Microsoft Downplays IIS Bug Threat

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

Re:WebDAV used much?

[gadget+junkie]

[...]

What makes it far more major, is that its one of the extremely rare remotely exploitable vulnerability that IIS6 have had. Contrary to Slashdot beleif, IIS6 (IIS7 more so though) is totally rock solid and extremely secure, so having something like that pop up is quite scary.

Contrary to Slashdot belief, Slashdotters usually rant about Microsoft client operating systems, like Vista or Win7. Ranting about Server Software is bad form, primarily because Linux/Apache is the primary platform, and Slashdot should therefore rant that Linux is nipping MS in the bud with its uncompetitive practices.