IIS issue not a new vulnerability, Microsoft says

Microsoft has shot down reports that its Internet Information Services (IIS) suffers from a vulnerability, saying that customers only need to worry if they are running a nondefault configuration of the web server.

In a blog post on Tuesday, Christopher Budd, security response communications lead at Microsoft, admitted that there is an error, not a vulnerability, in the way that IIS version 6 handles semicolons in URLs, which can allow an attacker to bypass security restrictions to execute malicious code when uploading a file to a web application.

However, for such a scenario to occur, the IIS server "must already be configured to allow both 'write' and 'execute' privileges on the same directory" — a misconfiguration that violates Microsoft's IIS security best practices, he said.

"Quite simply, an IIS server configured in this manner is inherently vulnerable to attack," Budd said. "However, customers who are using IIS 6.0 in the default configuration or are following our recommended best practices don't need to worry about this issue."

Users concerned that they may be running a vulnerable version of IIS should refer to a best practices document from Microsoft, he said.

Budd added that engineers are working to fix the "inconsistency" in IIS 6.

Security experts expect in-the-wild attacks to grow after Metasploit added the exploit to its framework this week.

"This makes it trivial to compromise badly configured servers," Patrick Fitzgerald, senior security response manager at Symantec, said in a Tuesday blog post. "This development could see a rise in exploitation of this issue."