Microsoft confirms IIS security flaw exploits

Microsoft has confirmed that attackers have exploited a vulnerability in the firm's Internet Information Services (IIS) software.

The vulnerability that allows attackers to take over a server or conduct a denial of service attack is in the file transfer function.

The problem was initially said to affect version 5.0, 5.1, 6.0 and 7.0 of Microsoft's IIS product, but an updated security advisory included version 7.0.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Microsoft said version 7.5 of the FTP protocol is not vulnerable to any of the known exploits and can be downloaded and installed on IIS 7.0 to protect it.

"The Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008," said Alan Wallace of the Microsoft security response center.

For all other users, Microsoft recommends IIS users implement the workarounds provided in the Advisory under the Workaround section, Wallace wrote in a blog.

Users should follow these guidelines until Microsoft releases a security update once it reaches an "appropriate level of quality for broad distribution," he wrote.

Wallace said more information on suggested actions can be found in Microsoft Knowledge Base Article 975191.