RealTime IT News

Microsoft Denies Threat to IIS 6 Web Server

eSecurityPlanet reports on Microsoft's response to claims its Internet Information Services (IIS) Web server, is threatened by a zero-day hole.


Microsoft officials say that a hacker who claims to have found a critical zero-day hole in an older version of Internet Information Services (IIS), the company's Web server, is wrong.

"We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS," Christopher Budd, a security program manager in the Microsoft (NASDAQ: MSFT) Security Response Center (MSRC), said in a blog post Tuesday.

The claims came in a blog post on Christmas Day by hacker Soroush Dalili. In his post, Dalili said that IIS 6, the version of Microsoft's Web server that came with Windows Server 2003, is vulnerable to attacks based on sending the server a file that uses semi-colons in the file name to trick IIS into thinking the file has one file extension when it actually has another.

Read the full story at eSecurityPlanet:
Microsoft: No Hole in IIS 6