Web server holes exposed in Mirosoft IIS

Microsoft is investigating reports of a couple of new vulnerabilities found in the FTP service of the IIS web server, which could potentially grant remote code execution to an untrusted user.

Seemingly the flaws were revealed directly to the public last week, rather than the finder bringing them to the attention of Microsoft first.

In an official notice the company said it was aware of limited attacks that used the exploit code.

It said that any one running the IIS FTP server on Windows 2003 or earlier, or running FTP 6.0 on Vista or Windows 2008, should consult the latest security advisory posted to the Microsoft site.

The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name.

The vulnerable code is only to be found in IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003).

Microsoft has said a patch was already in development, but it is highly unlikely to be ready in time for this month’s Patch Tuesday.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing