New critical IIS flaw discovered

Hackers could upload malicious code to an affected machine

Security experts are warning of a highly critical new zero day vulnerability in Microsoft’s popular Internet Information Services (IIS) web server product which could allow hackers to bypass existing security measures and upload malicious code to any affected machine.

Security researcher Soroush Dalili warned in a research note that the vulnerability affects IIS 6 and earlier versions, although IIS 7 has yet to be tested and version 7.5 is safe.

“IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server,” he explained.

"Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.”

Vulnerability database firm Secunia rated the flaw as “less critical” – only the second out of a potential five-grade security rating system – but Dalili maintained the impact of the bug is highly critical.

“Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi‐colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on,” he wrote.

“Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”

According to reports Microsoft researchers are investigating the vulnerability.

This is not the first time that IIS has been hit by security problems. Back in September Microsoft issued a security advisory warning of a vulnerability in the File Transfer Protocol (FTP) service in IIS 5.0, 5.1 and 6.0 which could allow remote code execution.