Microsoft Downplays IIS Bug Threat

← Back to Stories (view on slashdot.org)

Microsoft Downplays IIS Bug Threat

Posted by Soulskill on Wednesday May 20, 2009 @12:53AM from the this-is-not-the-bug-you're-looking-for dept.

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

5 of 114 comments (clear)

Min score:

Reason:

Sort:

Subliminal messaging by ZinnHelden · 2009-05-20 01:03 · Score: 2, Insightful

'only a specific IIS configuration is at risk from this vulnerability.'
In my head I keep hearing, "don't use webDAV, use Exchange and SharePoint!"
1. Re:Subliminal messaging by Jurily · 2009-05-20 01:16 · Score: 2, Insightful
  
  In my head I keep hearing, "don't use webDAV, use Exchange and SharePoint!"
  Funny. It sounded like "use software with open standards and secure implementations" to me.
Re:WebDAV used much? by Anonymous Coward · 2009-05-20 01:09 · Score: 2, Insightful

Since no one in their right mind will have WebDav and NTLM exposed to a public site

Have you ever worked in IT? Things "no one in their right mind" would do happen all the time. People don't want to remember 10 different passwords, so I can easily see people wanting to be able to update the website with their "windows password". I'm betting this configuration is far more common than you might think.
Re:Are they big enough? by x2A · 2009-05-20 01:49 · Score: 2, Insightful

Anything Microsoft related on Slashdot forums is automatically flamebait because of the emotional reactions the mere word 'Microsoft' triggers in so many Slashdotters which makes it unpossible to have a proper serious, well thought out debate. Just look at the replies it's getting. It's pathetic huh.

--
The revolution will not be televised... but it will have a page on Wikipedia
Re:WebDAV used much? by 93+Escort+Wagon · 2009-05-20 02:03 · Score: 3, Insightful

Since no one in their right mind will have WebDav and NTLM exposed to a public site, then the "hackers" can only come from within in the vast majority of scenarios.
You're making the mistake of assuming that most IIS admins know what they're doing. I'm sure most of them think they know what they're doing, but I'm betting this flaw will get exploited from without much more often than you think it will.

--
#DeleteChrome