Microsoft Confirms IIS Server Security Hole
Page 1 of 1
Microsoft Wednesday was accused of trying to downplay a security flaw in its Web server software.
The company issued a bulletin late Tuesday about the so-called "malformed HTR request" vulnerability in Microsoft's popular Internet Information Server 4.0 software.
According to Microsoft, the flaw could allow denial of service attacks or, under certain conditions, could allow arbitrary code to be run on the server.
"We have confirmed on numerous servers that this is exploitable. We got a DOS prompt with system level access to the machine remotely, and other organizations, including big security companies, have been able to reproduce this and get system-level access."
In its bulletin Microsoft has released information about a work-around. The company also promised to provide a patch to eliminate the vulnerability.