A new flaw in Microsoft’s IIS web server software has popped up, and this one is serious. It affects version 6 of IIS and while you do need to have WebDAV turned on and running, it can allow an attacker to completely compromise data on the server.
Threatpost has a very good description of it here.
The sad things about this is first Microsoft has no patch for it, heck they haven’t even confirmed it yet (they are still looking into it). Secondly, there was a similar vulnerability in an earlier version of IIS.
Right now the best bet is to turn off WebDAV if possible, or better yet uninstall it through add/remove programs and Windows Components (it is a sub component of IIS). Figure that you will see a patch for it somewhat soon.
Leave a Reply