Microsoft warns of new flaw in Internet Information Server

Microsoft has warned of a new vulnerability in IIS

Microsoft has issued a security advisory about a new vulnerability in Windows Internet Information Server (IIS).

IIS is a component used primarily by Windows Server systems to provide web hosting services. It is also included in Windows XP Professional, as well as the Business, Enterprise and Ultimate editions of Windows Vista.

Microsoft said that the vulnerability could allow an attacker to gain elevated privileges on a targeted server, possibly allowing the attacker to access and edit data.

The flaw affects IIS versions 4.0, 5.0 and 6.0. The newest version, IIS 7.0, is not believed to be vulnerable. No active attacks targeting the flaw have been reported.

Microsoft said that the vulnerability is exposed when an attacker sends a specially-crafted HTTP request file to the targeted server. Once exploited, the attacker could bypass authentication requirements and access the system with anonymous account clearance.

The company noted that the vulnerability is limited to the extent to which administrators have set access for anonymous users. By limiting access and preventing write clearance for the accounts - a default setting for most IIS systems - the danger of attack can be mitigated.

Many IIS 6.0 users should also be protected, as the vulnerable WebDAV component is disabled in those systems by default.

Microsoft did not say when a fix for the vulnerability could be expected. The company's next scheduled security update is 9 June.

This is not the first time that vulnerabilities in IIS have gained attention. In 2001, the component was the main target of the Code Red and Code Blue worms.