Microsoft is warning of an IIS zero-day vulnerability in Microsoft Internet Information Services (IIS) Web server, which if successfully exploited, could give an attacker elevated privileges to gain access to sensitive data.
Microsoft said a remote authentication bypass vulnerability exists in the WebDAV extension, a collection of tools used to publish content to IIS Web servers. The Web server does not properly decode a requested URL. An attacker can exploit the flaw by creating a specially crafted anonymous HTTP request to gain access to a location. Microsoft said the hack typically requires authentication.
Microsoft IIS versions 5.0-6.0 are affected. The software giant said it is unaware of any known attacks against the flaw in the wild. But the U.S. Computer Emergency Response Team issued an
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
advisory warning on Monday that it is aware of publicly available exploit code and active exploitation of the vulnerability.
As a workaround, users can disable WebDAV functionality, Microsoft said. Users can also deny file system access control lists for anonymous user accounts or use NTFS access control lists to control access to resources on the server.
"Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Christopher Budd, the security response communications lead for Microsoft said in a statement.
The flaw was discovered by security researcher Nikolaos Rangos, who posted details to the Full Disclosure security mailing list. In his IIS advisory, Rangos said the flaw enables attackers to bypass password protected folders and upload or download files into a password protected WebDAV folder.
In its 971492 security advisory, Microsoft downplayed the severity of the flaw explaining several security features that must be bypassed to successfully exploit the flaw.
Microsoft said an attacker cannot exceed the level of access granted to the anonymous user account since the IIS file system verifies whether a file is accessible by a given user. Also, the anonymous user account only has read access. Microsoft said the WebDAV extension is not enabled in the default configuration, meaning that many organizations may not be using it.
Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating.