Microsoft confirms IIS hole

December 29, 2009 – 5:46 AM

Microsoft has confirmed the security hole in its IIS web server, but hasn’t disclosed which versions of the product are affected. According to the finder of the “semi-colon bug”, versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft’s Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.


  1. One Response to “Microsoft confirms IIS hole”

  2. Results of Investigation into Holiday IIS Claim:

    By manunkind on Dec 29, 2009

You must be logged in to post a comment.