Researchers at Odds over Newly Discovered Vulnerability in Microsoft's IIS

Posted 12/28/2009 at 5:28am | by Paul Lilly

0

Comments

Print

Attackers have a new vulnerability to exploit in Microsoft's Internet Information Services (IIS), which would allow them to execute malicious code on machines configured with the webserver software. According to researcher Soroush Dalili, the bug stems from how IIS parses file names with colons or semicolons. By appending benign file extensions to a malicious file, attackers can effectively bypass filters designed to stop dirty code from getting through, The Register reports.

Dalili said the bug affects all versions of IIS, and while he rated it "highly critical," not everyone agrees with his assessment. Secunia classified the bug as "less critical," which is the security firm's second least "critical" ranking on five-tiered scale.

"Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as '.asp,' '.cer,' '.asa,' and so on," Dalili wrote ."Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.

So why did Secunia only rate it as "less critical?" The company didn't say, noting only that it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.

Image Credit: gfi.com