Microsoft accused of downplaying IIS flaw

A security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension  decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.

"Microsoft has classified this issue two different ways in two different places," he said. "On the SRD blog (it) refers to this as a Information Disclosure vulnerability, while the Microsoft Advisory refers to this as an elevation of privilege," says nCircle's Tyler Reguly.

The point, he said, is that the bug should be called what it is--an access control breach or an authentication bypass. SRD acknowledges the Authentication Bypass but downplays it because you are accessing a single page with the anonymous user privileges, he added.

Read the full story [eweek.com]

Here's our previous coverage of this issue.

Commenting on this Article is closed.