Microsoft on Tuesday confirmed the presence of a privilege-escalation vulnerability in its Internet Information Services (IIS) web server.
The software giant said in an advisory that it was not aware of any attacks attempting to exploit the bug, which impacts IIS versions 5, 5.1 and 6. However, US-CERT revealed Monday that it was aware of publicly available exploit code and active attacks.
The exploit would work by a cybercriminal creating an anonymous but malicious HTTP request, which can take advantage of a vulnerability in the way the WebDAV (Web-based Distrubuted Authoring and Versioning) extension for IIS handles these requests. WebDAV is a set of HTTP extensions that permits users to manage files on web servers.
Eric Schultze, CTO of Shavlik Technlogies, provider of patch management software, said the amount of access that the bug may grant an attacker depends on how the web server is configured and secured.
“In a default configuration — and I would gather most installations — this flaw might allow the attacker to read certain files on the web server but would not allow them to write any files,” he said Wednesday in a statement. “If the attacker is unable to write any files to the web server, it’s far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server.”
In its advisory, Microsoft said a number of mitigating factors exist that would make it difficult to exploit the flaw, including enforcing file system ACLs (access control lists), denying write access by default to anonymous user accounts and not enabling by default WebDAV on IIS 6.