Microsoft web server files open to hacking

Microsoft has warned about a bug that allows attackers to snoop on password-protected files on servers.

Microsoft is investigating reports of a vulnerability in its popular web server Internet Information Services (IIS), which could allow an attacker to access password-protected files.

In its advisory, Microsoft said that "an elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests".

Microsoft said it was investigating public reports of the problem, but so far wasn't aware of attacks that tried to use the vulnerability or of any customer impact.

The United States Computer Emergency Readiness Team (US-CERT) said it was already aware of publicly available exploit code and active exploitation of the flaw.

Security researcher Nikolaos Rangos said exploitation of the flaw could allow an attacker to get into password-protected folders, as well as allow the listing, downloading and uploading of files into a password-protected WebDav folder.

Security engineer Thierry Zoller has more details on the vulnerability, and warned that until the impact was 100 per cent clear, administrators should disable WebDav.

Last year, Microsoft denied there was any vulnerability in IIS after a a massive SQL injection attack had affected hundreds of thousands of web pages.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems
ethical hacking

Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems

5 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021
Best free malware removal tools 2021
Security

Best free malware removal tools 2021

5 May 2021
Acuant acquires identity verification provider Hello Soda
mergers and acquisitions

Acuant acquires identity verification provider Hello Soda

4 May 2021

Most Popular

Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021