Tuesday, May 19, 2009

Microsoft Security Advisory on IIS

Microsoft has issued Security Advisory 971492, Vulnerability in Internet Information Services Could Allow Elevation of Privilege.

If you're using IIS, be aware that attackers may be able to elevate privileges by exploiting a vulnerability in the way the WebDAV extension for IIS handles HTTP requests. For example, I could create a special, anonymous HTTP request and leveraging the flaw, gain access to an area that normally requires authentication. Like read some files you don't particularly want me to read.

The Microsoft Security Response Center (MSRC) has more info and advises that they are not aware of any current attacks.

Bottom line: check to see if you need WebDAV in your installation. If not, turn it off, especially if your IIS is Internet-facing, which I'm guessing it is.

No comments:

Post a Comment

Please tell me what you think.