Microsoft rebuts IIS vulnerability claims
Redmond follows up on a security researcher's claims of a URL loophole that could let an attacker upload and execute code on an Web server.
Microsoft has denied claims of a new vulnerability in Internet Information Services (IIS) 6, putting the blame instead on poorly configured Web servers.
In a blog post Tuesday, Redmond said it had completed an investigation into claims that a flaw in how the IIS interprets file extensions in uniform resource locators (URLs) can enable an attacker to bypass content filtering software to . The company found "no vulnerability" in IIS.
Security researcher Soroush Dalili highlighted the issue on Christmas Day in a paper released via his Web site (PDF), describing the impact as "highly critical for Web applications."
Read more of "Microsoft debunks IIS vulnerability claims" at ZDNet Asia.