May 28, 2009, 10:11AM
A guide to the IIS WebDAV vulnerability
Comment 
Even for the most experienced security professionals, understanding complex attacks and vulnerabilities sometimes can be a serious challenge. A perfect example is the recent Microsoft IIS WebDAV vulnerability, which surfaced last week and has yet to be patched by Microsoft. It's a complicated issue, which some experts say was made more so by the guidance that the software maker released about it. Luckily, Steve Friedl of Unixwiz.net has taken the time to make some sense of it all.
Friedl, a security consultant, put together a flow chart that helps administrators figure out whether their Web servers are vulnerable. His key piece of advice is, if you're not sure whether your servers are at risk, find an expert who can test your machines and give you a definitive answer.
Editor's Pick
The vulnerability allows a remote anonymous user to bypass authentication checks and access the system in ways not intended for anonymous users: systems are getting hacked with this, and it's important to assess your local security posture and take steps to mitigate exposures that are discovered.
Microsoft published information on this in their Security Advisory (971492), but we found their guidance confusing for users who were not IIS experts. While researching what each of the pieces meant, we decided to create this Tech Tip with a simple flowchart that will help rapidly get to the "not vulnerable" stage if that's indeed the case.
Most systems are likely not vulnerable, but unless the flowchart below leads to "You are not vulnerable", we strongly recommend seeking local expertise to help assess your situation properly.
As Friedl and others have noted, attackers are actively exploiting the IIS WebDAV vulnerability, and as there's no patch available yet, it's vital that enterprises take a close look at their Web servers to see whether they're vulnerable. Microsoft officials have said they're investigating the vulnerability and it would not be surprising to see an out-of-band patch for IIS, given the seriousness of the problem.
Commenting on this Article is closed.
Today's Most Popular
- Adobe's Security Chief Talks About Driving Up The Cost of Exploits
- Twenty Something Asks Facebook For His File And Gets It - All 1,200 Pages
- New Tool Cracks Apple iWork Passwords
- Google: Bug Bounty Program Has Made Users Safer
- After Damaging Reports, Electronics Manufacturing Giant Foxconn Is Hacked
Most Commented Stories
-
Attackers Using Fake Google Analytics Code to Redirect Users to Black Hole Exploit Kit (7)
-
Flash With Sandbox in the Works for Firefox (4)
-
Apple Ships Huge Set of Patches for OS X (7)
-
Twenty Something Asks Facebook For His File And Gets It - All 1,200 Pages (55)
-
EU Asks Google to Delay Privacy Policy Changes (2)
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
