« Hacked: Turning a women's fashion website into a porn site | Main | Bruce Schneier rants about 1984 »

IIS Vulnerability Documented by Microsoft - Includes Workarounds

SANS reports
"Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to the webserver and run the exploit to gain additional rights. SQL is less of a problem because permissions have to be explicitly given to allow a SQL user to run code.

The advisory contains workarounds for IIS 6 and 7 that is claimed to blunt this vulnerability. The only negative impact of those workarounds is to add some extra work when adding users but does block the vector of attack."

Article Link: http://isc.dshield.org/diary.html?storyid=4306

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!