Microsoft is investigating reports of a new zero-day vulnerability in its IIS Web server software, and says that the flaw is a problem mainly on servers that are poorly configured.
The vulnerability, which first surfaced last week, exists in versions 6.0 and earlier of IIS, according to an advisory published by researcher Soroush Dalili.
“IIS can execute any extension as an Active Server Page or any other executable extension. For
instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders
protect the system by checking only the last section of the filename as its extension. And by
using this vulnerability, an attacker can bypass this protection and upload a dangerous
executable file on the server,” the bulletin says.
In its own advisory on the vulnerability, Microsoft said that most properly configured IIS servers will be at a very low risk of attack from this weakness because the attacker would need to be authenticated on the server and have write access in order to exploit it.
We are still investigating this issue and are not aware of any active
attacks but wanted to let customers know that our initial assessment
shows that the IIS web server must be in a non-default, unsafe
configuration in order to be vulnerable. An attacker would have to be
authenticated and have write access to a directory on the web server
with execute permissions which does not align with best practices or
guidance Microsoft provides for secure server configuration. Customers
using out of the box configurations and who follow security best
practices are at reduced risk of being impacted by issues like this.
Microsoft’s next scheduled monthly patch release is about two weeks away, and it’s possible that the company could have a patch ready by then if the security team deems the vulnerability to be serious enough to warrant a quick patch release.