Patch/Configuration Management, Vulnerability Management

Microsoft warns users of in-the-wild IIS/FTP exploits

Microsoft has updated its security advisory, which warns of two FTP server vulnerabilities in Internet Information Services, to reflect in-the-wild exploits taking advantage of the zero-day bugs.

The software giant said in the revised advisory that it "is currently aware of limited attacks that use this exploit code." The vulnerability first was disclosed last Monday on the exploit repository Milw0rm.

In addition, the company is monitoring new proof-of-concept code that was created to launch denial-of-service attacks against vulnerable IIS versions 5.0, 5.1, 6.0 and 7.0, a Microsoft spokeswoman said Friday.

Users should be aware that IIS 7.5 is available for download on Vista and Server 2008 builds, said Alan Wallace, senior communications manager at Microsoft, in a post on the Security Response Center blog.

In its advisory, Microsoft recommends workarounds but admits they may not be completely effective to stop a DoS attack.

"We're working to develop a security update," Wallace said. "This update will be released once it reaches an appropriate level of quality for broad distribution."

Microsoft is scheduled to release its monthly security fixes on Tuesday, but a patch for this issue is not expected then.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.