Microsoft has announced that a new vulnerability in its flagship server software IIS is being used by hackers to perpetuate attacks against servers it is running on. Details of the vulnerability are available on the Milw0rm website.
Earlier on Monday, Microsoft revealed the Internet Information Services (IIS) vulnerability. As of Saturday, it is still working on security patch for fixing the vulnerability. Meanwhile, Microsoft has announced measures for temporarily fixing the issue by disabling variable features of the vulnerable FTP service in which the vulnerability was discovered.
The vulnerability allows arbitrary code to be executed on the server using FTP on IIS 5.0. This can be used to conduct a DDOS (direct denial-of-service) attack using FTP on IIS 5.1, 6.0 and 7.0. The current version of IIS i.e. 7.5 isn’t affected and so FTP 7.5 can be downloaded and installed on IIS 7.0 to provide temporary protection.
Alan Wallace, senior communications manager for Microsoft’s security response team said, “Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits.”
Earlier, the software giant said it was investigating a vulnerability only with versions 5 and 6 of IIS.