New Microsoft IIS Server Vulnerability Exposed

Security expert and researcher Soroush Dalili has warned of a new zero day vulnerability in Microsoft’s highly popular Internet Information Service (IIS) web server which could allow hackers to pass through the security barrier and insert malicious code in any machine.

In a blog post, Dalili has categorised the threat as ‘Highly Critical’ and has communicated the need for a patch before the vulnerability gets exploited by hackers.

Dubbing the zero day flaw as the ‘semi colon bug’, the research wrote in the security warning that IIS can execute any extension as an Active Server Page or any other executable file like .cer and .asa.

Explaining the bug he mentioned that malicious.asp;.jpg gets executed as an ASP file on the IIS server as “Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server”.

Meanwhile, Microsoft Corp has acknowledged the discovery of the zero-day bug and has announced via a blog post that the company was looking into the matter and that a patch will be released in near future.

Our Comments

However, this zero-day bug is not the only one that has recently affected Microsoft IIS as back in September a flaw was discovered in the File Transfer Protocol service in IIS 5.0, 5.1 and 6.0 that could allow remote code execution.

Related Links

New critical IIS flaw discovered

(V3)

IIS Vulnerability Probably Not Serious For Most Servers

(PC Mag)

New Reports of a Vulnerability in IIS

(Technet)

Security flaw in Microsoft IIS

(h online)