Microsoft rebuts IIS vulnerability claims

Redmond follows up on a security researcher's claims of a URL loophole that could let an attacker upload and execute code on an Web server.

Microsoft has denied claims of a new vulnerability in Internet Information Services (IIS) 6, putting the blame instead on poorly configured Web servers.

In a blog post Tuesday, Redmond said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content filtering software to upload and execute code on an IIS server . The company found "no vulnerability" in IIS.

Security researcher Soroush Dalili highlighted the issue on Christmas Day in a paper released via his Web site (PDF), describing the impact as "highly critical for Web applications."

Read more of "Microsoft debunks IIS vulnerability claims" at ZDNet Asia.

Tags:
Security
About the author
 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Best mobile games of 2014
Nissan gives new Murano bold style (pictures)
Top great space moments in 2014 (pictures)
This is it: The Audiophiliac's top in-ear headphones of 2014 (pictures)
ZTE's wallet-friendly Grand X (pictures)
Lenovo reprises clever design for the Yoga Tablet 2 (Pictures)