WebDAV | Silicon Shecky

IIS 6.0 WebDAV Flaw Solutions

May 20, 2009 By Michael Kavka Leave a Comment

IT World has a nice little article which gives some tools to help protect those running IIS 6.0 and earlier from the latest exploit. The fun thing is that they are both free tools from Microsoft that basically shut down the WebDAV protocol.

Microsoft has acknowledged the problem, but has not said if or when a patch for it will be available. Windows 2000 servers are more at risk from this vulnerability since WebDAV is turned on by default, in contrast to Windows 2003 where WebDAV is turned off by default.

So, there you have it. Go get the tools and lock it down.

IIS 6.0 Flaw is serious

May 19, 2009 By Michael Kavka Leave a Comment

A new flaw in Microsoft’s IIS web server software has popped up, and this one is serious. It affects version 6 of IIS and while you do need to have WebDAV turned on and running, it can allow an attacker to completely compromise data on the server.

Threatpost has a very good description of it here.

The sad things about this is first Microsoft has no patch for it, heck they haven’t even confirmed it yet (they are still looking into it). Secondly, there was a similar vulnerability in an earlier version of IIS.

Right now the best bet is to turn off WebDAV if possible, or better yet uninstall it through add/remove programs and Windows Components (it is a sub component of IIS). Figure that you will see a patch for it somewhat soon.