Microsoft Downplays IIS Bug Threat

Microsoft Downplays IIS Bug Threat 114

Posted by Soulskill on Wednesday May 20, 2009 @08:53AM from the this-is-not-the-bug-you're-looking-for dept.

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

Microsoft Downplays IIS Bug Threat

This discussion has been archived. No new comments can be posted.

Search 114 Comments Log In/Create an Account

Comments Filter:

'only a specific IIS configuration is at risk' (Score:5, Funny)

by Jurily ( 900488 ) writes: <jurily&gmail,com> on Wednesday May 20, 2009 @08:56AM (#28024153)

The default?

Re:'only a specific IIS configuration is at risk' (Score:5, Funny)

by AliasMarlowe ( 1042386 ) writes: on Wednesday May 20, 2009 @09:13AM (#28024305) Journal

Did they give any configuration which is not at risk?

oblig (Score:5, Funny)

by Benanov ( 583592 ) writes: <[brian.kemp] [at] [member.fsf.org]> on Wednesday May 20, 2009 @09:16AM (#28024339) Journal

One that isn't installed.

Re:'only a specific IIS configuration is at risk' (Score:5, Funny)

by Jurily ( 900488 ) writes: <jurily&gmail,com> on Wednesday May 20, 2009 @09:19AM (#28024357)

Did they give any configuration which is not at risk?
Yes. it's a hidden one, only attainable by those who see the Light. All hail fdisk!

Internal Memo (Score:5, Funny)

by geoffrobinson ( 109879 ) writes: on Wednesday May 20, 2009 @09:22AM (#28024375) Homepage

To Whom It May Be Concerned:
Warner Bros., in an ill-advised attempt to promote Terminator Salvation, created a Skynet virus which aims to take over the world.
For some reason, it targets IIS.
We're doomed. Please head to the bomb shelter and the world will start again with a base of Microsoft employees.
thank you,
Management

Re:Subliminal messaging (Score:3, Funny)

by ZinnHelden ( 1549931 ) writes: on Wednesday May 20, 2009 @09:26AM (#28024419)

Yeah, I may hear their insane whispering, but I'm not giving up my Citadel server.

Re:'only a specific IIS configuration is at risk' (Score:4, Funny)

by cayenne8 ( 626475 ) writes: on Wednesday May 20, 2009 @09:51AM (#28024683) Homepage Journal

"Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default."
Sounds like you could avoid it by not allowing Unicode either...
I mean, who really needs 'all' those characters?

It's not a big deal (Score:5, Funny)

by SlappyBastard ( 961143 ) writes: on Wednesday May 20, 2009 @09:53AM (#28024705) Homepage

Anyone using the exploit is prompted repeatedly about whether they really, really want to do it.
Geez. Don't you people know anything about Windows security?

Comment removed (Score:3, Funny)

by account_deleted ( 4530225 ) writes: on Wednesday May 20, 2009 @09:59AM (#28024771)

Comment removed based on user account deletion

Re:WebDAV used much? (Score:3, Funny)

by dbIII ( 701233 ) writes: on Wednesday May 20, 2009 @10:15AM (#28024947)

IIS6 (IIS7 more so though) is totally rock solid and extremely secure
Reality just stood up and punched that misconception on the nose.

Re:'only a specific IIS configuration is at risk' (Score:3, Funny)

by rvw ( 755107 ) writes: on Wednesday May 20, 2009 @10:33AM (#28025203)

I mean, who really needs 'all' those characters?
Here on slashdot, we only need one character: Anonymous Coward!

Re:Are they big enough? (Score:1, Funny)

by Anonymous Coward writes: on Wednesday May 20, 2009 @11:06AM (#28025719)

That sounded dangerously close to being pro-Microsoft, comrade...

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Microsoft Downplays IIS Bug Threat 114

Microsoft Downplays IIS Bug Threat More Login

Microsoft Downplays IIS Bug Threat

'only a specific IIS configuration is at risk' (Score:5, Funny)

Re:'only a specific IIS configuration is at risk' (Score:5, Funny)

oblig (Score:5, Funny)

Re:'only a specific IIS configuration is at risk' (Score:5, Funny)

Internal Memo (Score:5, Funny)

Re:Subliminal messaging (Score:3, Funny)

Re:'only a specific IIS configuration is at risk' (Score:4, Funny)

It's not a big deal (Score:5, Funny)

Comment removed (Score:3, Funny)

Re:WebDAV used much? (Score:3, Funny)

Re:'only a specific IIS configuration is at risk' (Score:3, Funny)

Re:Are they big enough? (Score:1, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot