Microsoft confirms zero-day flaw in IIS

By on
Microsoft confirms zero-day flaw in IIS

Affects versions 5.0, 5.1 and 6.0.

Microsoft has warned of a new zero-day vulnerability in its Internet Information Services (IIS) which could allow remote code execution by hackers.

The company has issued a security advisory for the vulnerability, which lies in the File Transfer Protocol (FTP) service in IIS 5.0, 5.1 and 6.0.

Microsoft said that, although the code has been published widely on the internet, the firm is "not currently aware of active attacks that use this exploit code, or of customer impact at this time".

"The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name," the company said in a Security Research and Defense blog post.

"To be vulnerable, an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs."

Microsoft is advising companies to prevent untrusted users from having write access to the FTP service until a fully-tested security update is available. This can be achieved by turning off the FTP service if it is not needed, or preventing anonymous users from writing via IIS settings, said the blog posting.

IIS is the second most popular web server in the world after Apache, according to the latest figures.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:
codeftpiissecurityservicesoftwarevulnerability

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation
Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early
NBN Co taking orders for 'non-premises' connections

NBN Co taking orders for 'non-premises' connections
Australian scientists build world's first quantum computer IC

Australian scientists build world's first quantum computer IC

Digital Nation

The security threat of quantum computing
The security threat of quantum computing
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers

Log In

  |  Forgot your password?