informa
/
Attacks/Breaches
Quick Hits

Patch Unlikely for Widely Publicized Flaw in Microsoft IIS 6.0

Microsoft recommends upgrade to latest operating system for more protection.

A zero-day vulnerability in Microsoft's IIS 6.0 Web server software remains unfixed even after two Chinese researchers recently posted a proof-of-concept exploit for it, Threatpost reports. Microsoft recommends "that customers upgrade to our latest operating systems and benefit from robust, modern protection."

The flaw is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service which allows an arbitrary code to be remotely executed in a PROPFIND request using a long header beginning with "If: <http://."  Microsoft says the current supported versions are not impacted. Disabling WebDAV helps mitigate attacks, Threatpost said.

IIS, or Internet Information Services, currently supports 11.4% of websites behind Apache and Nginx. Among all IIS versions, 11.3% run version 6, and many websites still run on unsupported versions of the software, the report said.

Read details here.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5