Microsoft IIS Security Bug Leaves Web Servers Vulnerable
Reports of a zero-day vulnerability affecting Microsoft Internet Information Services surfaced on the Web Dec. 24. Microsoft says it is investigating the matter, and has found so far that only certain configurations of IIS are vulnerable to attack.Microsoft is investigating reports of a new vulnerability affecting Microsoft Internet Information Services that could be used to execute malicious code on vulnerable Web servers. Details of the vulnerability came out Dec. 25 when security researcher Soroush Dalili posted information about the bug on his Website. According to security company Secunia, the vulnerability is caused by the Web server "incorrectly executing e.g. ASP [Active Server Pages] code included in a file having multiple extensions separated by ';', only one internal extension being equal to '.asp' (e.g. 'file.asp;.jpg'). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types."
In his write-up of the issue, Dalili explained, "IIS can execute any extension as an Active Server Page ... Many file uploaders protect the system by checking only the last section of the file name as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server."