Microsoft confirms vulnerability in Internet Information Server
Microsoft has confirmed the vulnerability in the Internet Information Server (IIS) which was reported last weekend. Microsoft says that versions 5.0 and 5.1 are affected in addition to version 6.0, though the error is not present in IIS 7.0.
An error in the WebDAV function while decoding URLs containing Unicode characters makes it possible to bypass the authentication functions and access protected folders and files using the anonymous default user account. Microsoft says this user is denied write access on the server by default, contrary to the original report the vulnerability probably does not allow files to be stored on the server.
Normally, says Microsoft, WebDAV is activated after the installation of the IIS, and is only switched off if version 6.0 is installed on Windows Server 2003. Microsoft has published more information about vulnerable IIS configurations in its "Security Research & Defense" blog.
In the security advisory, Microsoft does not, however, say whether the problem will be eliminated with an update. Only after completing its investigation will further steps be taken, which could include issuing a patch, "depending on customer needs". Until then, Microsoft suggests two workarounds: either disable WebDAV or deny access to the anonymous user. Instructions on how to do either are given in the security advisory. Additionally, manipulated URLs can be filtered out with URLScan.
- Vulnerability in Internet Information Services Could Allow Elevation of Privilege, Microsoft security advisory.