Microsoft Downplays IIS Security Vulnerability Talk | eWeek
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Downplays IIS Security Vulnerability Talk

Written By
Brian Prince
Brian Prince
Dec 29, 2009
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft is downplaying talk of a zero-day bug in Internet Information Services).

Reports began to circulate Dec. 24 of a security vulnerability in IIS. The issue was due to the way IIS 6.0 handles semicolons in URLs. However Microsoft contends that because IIS must be in an insecure configuration for the attack to work, the handling of semicolons is essentially besides the point.

“The key in this is … for the scenario to work, the IIS server must already be configured to allow both ‘write’ and ‘execute’ privileges on the same directory,”blogged Christopher Budd, communications lead for Microsoft Security Response Center. “This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.”

Still, Budd said, “the IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with other versions.”

The incident was brought to light by security researcher Soroush Dalili, who posted information about the situation on his Website on Dec. 25. According to a Dec. 24 Secunia advisory, the situation is the result of a Web server “incorrectly executing e.g. ASP [Active Server Pages] code included in a file having multiple extensions separated by ‘;’, only one internal extension being equal to ‘.asp’ (e.g. ‘file.asp;.jpg’). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.”

If exploited, Dalili said, the issue could allow an attacker to circumvent content filtering software and upload malicious code to an IIS server.

However, customers using IIS 6.0 in the default configuration or following Microsoft’s recommended best practices don’t need to worry about this issue, Budd wrote.

“If, however, you are running IIS in a configuration that allows both ‘write’ and ‘execute’ privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable,” he advised.
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information