Microsoft Warns IIS Vulnerability Is Under Attack
Microsoft reports that a zero-day vulnerability in Internet Information Services is now the subject of limited attacks. Exploit code for the IIS vulnerability is known to have been circulating publicly for the past several days.Microsoft officials are reporting limited attacks targeting a zero-day vulnerability in the FTP service in Internet Information Services. The IIS vulnerability warning follows the release of new exploit code that can be used to create a DoS (denial of service) condition on Windows XP and Windows Server 2003 without requiring Write access. Also, a new proof of concept allowing a DoS was disclosed Sept. 2 that affects FTP 6, which shipped with Windows Vista and Windows Server 2008.
Microsoft first issued an advisory on the bug Sept. 1, a day after exploit code for the vulnerability was posted on Milw0rm. In addition to a DoS, if the bug is successfully exploited it can allow remotely authenticated users to execute arbitrary code via a crafted NLST command that uses wildcards.