| Microsoft Wednesday was accused of trying to downplay a security flaw in its Web
server software.
ProCheckUp discovers Several High Risk Vulnerabilities in RSA ::
However the underlying IIS server does recognise and support Unicode . Akshay Agrawal (Practice Manager, Microsoft Information Security ACE Team)
http://www.hackinthebox.org/article.php?sid=4145HOME |
The company issued a bulletin late Tuesday about the so-called "malformed HTR request" vulnerability in Microsoft's popular Internet Information Server 4.0 software.
What's New In IIS 6.0? (Part 1 of 2)::
IIS was once considered one of the main security holes in Windows architecture. . The worker process shuts down the application if the IIS server is
http://www.devx.com/webdev/Article/17085/1763/page/2HOME |
According to Microsoft, the flaw could allow denial of service attacks or,
under certain conditions, could allow arbitrary code to be run on the server.
But that's just the tip of the iceberg, according to Firas Bushnaq, CEO of
eEye, the Internet security firm that discovered the hole.
Bushnaq said Microsoft is not publicizing the fact that crackers could
exploit the flaw to take complete control over IIS servers, many of which
are hosting e-commerce sites.
"We have confirmed on numerous servers that this is exploitable. We got a
DOS prompt with system level access to the machine remotely, and other
organizations, including big security companies, have been able to
reproduce this and get system-level access."
In its bulletin Microsoft has released information about a
work-around. The company also promised to provide a patch to eliminate the
vulnerability.
 Bamboo.com Hopes Investors Zoom In On IPO
 Internet Shares Rebound On Economic News |
Microsoft Confirms IIS Server Security Hole 
PRINT
Add to favorites