May 20, 2009, 8:03PM
Microsoft accused of downplaying IIS flaw
Comment 
A security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.
"Microsoft has classified this issue two different ways in two different places," he said. "On the SRD blog (it) refers to this as a Information Disclosure vulnerability, while the Microsoft Advisory refers to this as an elevation of privilege," says nCircle's Tyler Reguly.
The point, he said, is that the bug should be called what it is--an access control breach or an authentication bypass. SRD acknowledges the Authentication Bypass but downplays it because you are accessing a single page with the anonymous user privileges, he added.
Read the full story [eweek.com]
Here's our previous coverage of this issue.
Recommended Reads
Commenting on this Article is closed.
Today's Most Popular
Most Commented Stories
-
Attackers Using Fake Google Analytics Code to Redirect Users to Black Hole Exploit Kit (8)
-
Twenty Something Asks Facebook For His File And Gets It - All 1,200 Pages (56)
-
Phony Temple Run Game For Android Plays On Android-iOS App Gap (3)
-
How Offensive Research Drives Down the Cost of Attacks (2)
-
Google Begins Security Review Process for Android Apps (2)
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
