I wanted to let you know that we have just posted Microsoft Security Advisory (971492).

 

This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege.  Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.

 

At this time, we are not aware of any known attacks that attempt to use this vulnerability.

 

An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

 

Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

 

To better help understand the issue, Microsoft security experts have provided additional technical details on the Microsoft Security Research & Defense blog.

We have activated our Software Security Incident Response Process (SSIRP) and we are continuing to investigate this issue.  In addition, we are actively working with partners in the Microsoft Active Protections Program (MAPP) and the Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers. 

 

Christopher Budd

 

 *This posting is provided "AS IS" with no warranties, and confers no rights.*