Slashdot Mirror


Microsoft Downplays IIS Bug Threat

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

8 of 114 comments (clear)

  1. 'only a specific IIS configuration is at risk' by Jurily · · Score: 5, Funny

    The default?

    1. Re:'only a specific IIS configuration is at risk' by AliasMarlowe · · Score: 4, Funny

      Did they give any configuration which is not at risk?

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    2. Re:'only a specific IIS configuration is at risk' by Jurily · · Score: 4, Funny

      Did they give any configuration which is not at risk?

      Yes. it's a hidden one, only attainable by those who see the Light. All hail fdisk!

    3. Re:'only a specific IIS configuration is at risk' by cayenne8 · · Score: 3, Funny
      "Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default."

      Sounds like you could avoid it by not allowing Unicode either...

      I mean, who really needs 'all' those characters?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  2. oblig by Benanov · · Score: 4, Funny

    One that isn't installed.

  3. Internal Memo by geoffrobinson · · Score: 5, Funny

    To Whom It May Be Concerned:

    Warner Bros., in an ill-advised attempt to promote Terminator Salvation, created a Skynet virus which aims to take over the world.

    For some reason, it targets IIS.

    We're doomed. Please head to the bomb shelter and the world will start again with a base of Microsoft employees.

    thank you,
    Management

    --
    Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
  4. Re:Subliminal messaging by ZinnHelden · · Score: 3, Funny

    Yeah, I may hear their insane whispering, but I'm not giving up my Citadel server.

  5. It's not a big deal by SlappyBastard · · Score: 5, Funny

    Anyone using the exploit is prompted repeatedly about whether they really, really want to do it.

    Geez. Don't you people know anything about Windows security?

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.