Microsoft Downplays IIS Bug Threat

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

Re:Not a typical configuration

[Idiot+with+a+gun]

Mayhaps it isn't a major bug, but this is exactly what Microsoft does every time. Downplay their bugs (and take their sweet time patching them), while bashing any high profile bugs that crop up in open source projects. I'd be more impressed if their response was "There's a bug in IIS, don't use feature X or configuration Y while we fix it."

Re:Internal Memo

[93+Escort+Wagon]

the world will start again with a base of Microsoft employees.

Assuming they're allowed to reproduce - I've met several of them, and I don't think that's a safe assumption (unless they're interbreeding, but that might not produce viable offspring).