Microsoft denies IIS flaw claims

Microsoft has moved swiftly to deny claims of a critical new IIS flaw

Microsoft has dismissed claims made last week of a critical flaw in the firm's popular Internet Information Services (IIS) web server product, saying that customers using IIS 6.0 in the default configuration or following best practices will have no problems.

Security researcher Soroush Dalili released a research note last week claiming that the flaw could enable hackers to bypass existing security measures and upload malicious code to any affected machine.

"IIS can execute any extension as an Active Server Page or any other executable extension. For instance 'malicious.asp;.jpg' is executed as an ASP file on the server," he explained.

"Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server."

However, in an update on its official blog, the Microsoft Security Response Center maintained that there is no vulnerability in IIS.

"What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It's this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server," the blog posting noted.

"The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both 'write' and 'execute'privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."

The team said that as long as IIS 6.0 customers used default configurations or follow Microsoft recommended best practices they "don't need to worry about this issue".