Microsoft server hit by vulnerability

HTTP flawÂ…

By Ina Fried, 19 May 2009 09:00

NEWS

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)".

The company said that a flaw exists in a certain type of web serving operation.

Microsoft said: "An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests.

"An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft said it is not aware of attacks using the vulnerability. The company said it may provide an update as part of its monthly Patch Tuesday or, depending on the severity, could provide a fix outside of its monthly patching schedule.

In the meantime, the company listed on its website certain configuration settings that can help mitigate the impact of the flaw.

Post your comment

In order to post a comment you need to be registered and logged in.

Log in or create your silicon.com account below

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ