Windows comes with Internet Information Services (IIS). A zero day vulnerability has been used since July 2016 to attack and compromise IIS 6.0 and take over Windows servers.
Advertising
The zero-day vulnerability was discovered by two Chinese researchers from the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China. A Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header.
The vulnerability affects only IIS 6.0, released in November 2010, and shipped with Windows Server 2003 and Windows XP Professional x64 Edition. The two researchers has published proof-of-concept exploit code on GitHub a few days ago, after Microsoft acknowledged the flaw. Microsoft said it couldn't patch this vulnerability, because the product has reached end of life (EOL) and no more updates are shipped. Further details may be found also at bleepingcomputer.com.
