Microsoft Confirms IIS Server Security Hole

Microsoft Wednesday was accused of trying to downplay a security flaw in its Web
server software.

The company issued a bulletin late Tuesday about the so-called “malformed HTR request” vulnerability in Microsoft’s popular Internet Information Server 4.0 software.

According to Microsoft, the flaw could allow denial of service attacks or,
under certain conditions, could allow arbitrary code to be run on the server.

But that’s just the tip of the iceberg, according to Firas Bushnaq, CEO of
eEye, the Internet security firm that discovered the hole.

Bushnaq said Microsoft is not publicizing the fact that crackers could
exploit the flaw to take complete control over IIS servers, many of which
are hosting e-commerce sites.

“We have confirmed on numerous servers that this is exploitable. We got a
DOS prompt with system level access to the machine remotely, and other
organizations, including big security companies, have been able to
reproduce this and get system-level access.”

In its bulletin Microsoft has released information about a
work-around. The company also promised to provide a patch to eliminate the

News Around the Web