Windows IIS 6.0 Zero Day Vulnerability is under attacks since July 2016

Windows comes with Internet Information Services (IIS). A zero day vulnerability has been used since July 2016 to attack and compromise IIS 6.0 and take over Windows servers.


Advertising

The zero-day vulnerability was discovered by two Chinese researchers from the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China. A Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header.

The vulnerability affects only IIS 6.0, released in November 2010, and shipped with Windows Server 2003 and Windows XP Professional x64 Edition. The two researchers has published proof-of-concept exploit code on GitHub a few days ago, after Microsoft acknowledged the flaw. Microsoft said it couldn't patch this vulnerability, because the product has reached end of life (EOL) and no more updates are shipped. Further details may be found also at bleepingcomputer.com.


Advertising

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).