Microsoft warns of attacks using IIS flaw
Published: 07 Sep 2009 08:12 BST
A vulnerability in Microsoft's software for housing websites is being used for "limited attacks" on the servers it is running on, the company said on Friday.
Microsoft disclosed the Internet Information Services (IIS) vulnerability on Monday, and on Friday said it is still working on a security update to fix the problem. In the meantime, a Microsoft advisory has instructions for a workaround, including disabling various elements of the vulnerable FTP (File Transfer Protocol) service to upload and download files.
According to the advisory, the vulnerability could let somebody run arbitrary code on a server using FTP on IIS 5.0 and conduct a denial-of-service attack using FTP on IIS 5.1, 6.0 and 7.0. The present version 7.5 is not affected, and FTP 7.5 can be downloaded and installed on IIS 7.0 to protect it.
"Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits," said Alan Wallace, senior communications manager for Microsoft's security response communications team, in a statement.
Initially, the company said it was investigating a vulnerability only with versions 5 and 6 of IIS.
Did you find this article useful?
5 out of 5 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
