Microsoft Downplays IIS Bug Threat 114
snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."
'only a specific IIS configuration is at risk' (Score:5, Funny)
The default?
Re:'only a specific IIS configuration is at risk' (Score:5, Funny)
oblig (Score:5, Funny)
One that isn't installed.
Re:'only a specific IIS configuration is at risk' (Score:5, Funny)
Did they give any configuration which is not at risk?
Yes. it's a hidden one, only attainable by those who see the Light. All hail fdisk!
Internal Memo (Score:5, Funny)
To Whom It May Be Concerned:
Warner Bros., in an ill-advised attempt to promote Terminator Salvation, created a Skynet virus which aims to take over the world.
For some reason, it targets IIS.
We're doomed. Please head to the bomb shelter and the world will start again with a base of Microsoft employees.
thank you,
Management
Re:Subliminal messaging (Score:3, Funny)
Re:'only a specific IIS configuration is at risk' (Score:4, Funny)
Sounds like you could avoid it by not allowing Unicode either...
I mean, who really needs 'all' those characters?
It's not a big deal (Score:5, Funny)
Anyone using the exploit is prompted repeatedly about whether they really, really want to do it.
Geez. Don't you people know anything about Windows security?
Comment removed (Score:3, Funny)
Re:WebDAV used much? (Score:3, Funny)
Reality just stood up and punched that misconception on the nose.
Re:'only a specific IIS configuration is at risk' (Score:3, Funny)
I mean, who really needs 'all' those characters?
Here on slashdot, we only need one character: Anonymous Coward!
Re:Are they big enough? (Score:1, Funny)