Microsoft Finds No Hole in IIS 6
Last week Soroush Dalili posted to his web site about a semicolon bug in IIS that could result in a vulnerability in the Web server from Microsoft. After careful review, the software deemed the claim to be false, eSecurity Planet reports.
After testing claims that IIS 6 is vulnerable to a zero-day attack, Microsoft declared the wild goose chase off.
Microsoft officials say that a hacker who claims to have found a critical zero-day hole in an older version of Internet Information Services (IIS), the company's Web server, is wrong.
"We've completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS," Christopher Budd, a security program manager in the Microsoft Security Response Center (MSRC), said in a blog post Tuesday.
The claims came in a blog post on Christmas Day by hacker Soroush Dalili. In his post, Dalili said that IIS 6, the version of Microsoft's Web server that came with Windows Server 2003, is vulnerable to attacks based on sending the server a file that uses semi-colons in the file name to trick IIS into thinking the file has one file extension when it actually has another.
Stuart Johnston is a contributing writer to InternetNews.com, based in Bellevue, Wash.
Read the rest of "Microsoft: No Hole in IIS 6 - www.esecurityplanet.com" at eSecurity Planet