By Stephen Shankland, 7 September 2009 08:52
NEWS
A vulnerability in Microsoft's software for housing websites is now being used for "limited attacks" on the servers it's running on, the company said on Friday.
Microsoft disclosed the Internet Information Services (IIS) vulnerability on Monday and said on Friday it's still working on a security update to fix the problem. In the meantime, the advisory has instructions for a workaround, including disabling various elements of the vulnerable FTP (File Transfer Protocol) service to upload and download files.
According to the advisory, the vulnerability could let somebody run arbitrary code on a server using FTP on IIS 5.0 and conduct a denial-of-service attack using FTP on IIS 5.1, 6.0, and 7.0. The present version 7.5 isn't affected, though, and FTP 7.5 can be downloaded and installed on IIS 7.0 to protect it.
"Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits," said Alan Wallace, senior communications manager for Microsoft's security response communications team, in a statement.
Initially, the company said it was investigating a vulnerability only with versions 5 and 6 of IIS.
In order to post a comment you need to be registered and logged in.
Log in or create your silicon.com account below