dcsimg
RealTime IT News

Microsoft Confirms IIS Server Security Hole

Microsoft Wednesday was accused of trying to downplay a security flaw in its Web server software.

The company issued a bulletin late Tuesday about the so-called "malformed HTR request" vulnerability in Microsoft's popular Internet Information Server 4.0 software.

According to Microsoft, the flaw could allow denial of service attacks or, under certain conditions, could allow arbitrary code to be run on the server.

But that's just the tip of the iceberg, according to Firas Bushnaq, CEO of eEye, the Internet security firm that discovered the hole.

Bushnaq said Microsoft is not publicizing the fact that crackers could exploit the flaw to take complete control over IIS servers, many of which are hosting e-commerce sites.

"We have confirmed on numerous servers that this is exploitable. We got a DOS prompt with system level access to the machine remotely, and other organizations, including big security companies, have been able to reproduce this and get system-level access."

In its bulletin Microsoft has released information about a work-around. The company also promised to provide a patch to eliminate the vulnerability.