Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Downplays IIS Bug Threat

Posted by Soulskill on from the this-is-not-the-bug-you're-looking-for dept.

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

12 of 114 comments (clear)

  1. 'only a specific IIS configuration is at risk' by Jurily · · Score: 5, Funny

    The default?

    1. Re:'only a specific IIS configuration is at risk' by AliasMarlowe · · Score: 4, Funny

      Did they give any configuration which is not at risk?

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    2. Re:'only a specific IIS configuration is at risk' by Jurily · · Score: 4, Funny

      Did they give any configuration which is not at risk?

      Yes. it's a hidden one, only attainable by those who see the Light. All hail fdisk!

    3. Re:'only a specific IIS configuration is at risk' by cayenne8 · · Score: 3, Funny
      "Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default."

      Sounds like you could avoid it by not allowing Unicode either...

      I mean, who really needs 'all' those characters?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    4. Re:'only a specific IIS configuration is at risk' by rvw · · Score: 2, Funny

      I mean, who really needs 'all' those characters?

      Here on slashdot, we only need one character: Anonymous Coward!

  2. oblig by Benanov · · Score: 4, Funny

    One that isn't installed.

  3. Internal Memo by geoffrobinson · · Score: 5, Funny

    To Whom It May Be Concerned:

    Warner Bros., in an ill-advised attempt to promote Terminator Salvation, created a Skynet virus which aims to take over the world.

    For some reason, it targets IIS.

    We're doomed. Please head to the bomb shelter and the world will start again with a base of Microsoft employees.

    thank you,
    Management

    --
    Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
  4. Re:Subliminal messaging by ZinnHelden · · Score: 3, Funny

    Yeah, I may hear their insane whispering, but I'm not giving up my Citadel server.

  5. It's not a big deal by SlappyBastard · · Score: 5, Funny

    Anyone using the exploit is prompted repeatedly about whether they really, really want to do it.

    Geez. Don't you people know anything about Windows security?

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
  6. Re:ISS bug by Ash-Fox · · Score: 2, Funny

    Nasa downplays ISS bug.

    Fortunately they have got a Russian on board the space station.

    "This is how we fix things on Russian space station!" --Lev Andropov

    (He then proceeds to take a hammer and whack the equipment.)

    --
    Change is certain; progress is not obligatory.
  7. Re:WebDAV used much? by dbIII · · Score: 2, Funny

    IIS6 (IIS7 more so though) is totally rock solid and extremely secure

    Reality just stood up and punched that misconception on the nose.

  8. Re:Are they big enough? by Anonymous Coward · · Score: 1, Funny

    That sounded dangerously close to being pro-Microsoft, comrade...