Microsoft has issued a warning that an unpatched flaw in its Internet Information Services web server software is being actively exploited by crackers.
According to an article over on InfoWorld
, the company has seen a rise in the number of attacks targetting this latest IIS vulnerability since the flaw was made public last week.
The bug - which affects IIS 5.0, 5.1, 6.0, and 7.0 - can trigger different effects depending on which version you are running: older servers relying on IIS 5 and Windows 2000 are at the highest risk, with a successful attack resulting in remote code execution providing the attacker is able to create a new directory via FTP; newer IIS versions on Windows XP and Windows Server 2003, however, simply suffer from a denial of service crash if the attacker is able to read files via FTP.
Microsoft's security advisory
for the flaw states that the issue is currently under investigation as part of the "Microsoft Active Protections Program,
" and that "upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers.
This action may result in an out-of-cycle update for the software: while Microsoft prefers to stick to its Patch Tuesday release schedule for security updates, the scope of this flaw and the fact it is already being actively exploited in the wild may well tip the company's hand into releasing the fix early.
In the mean time, workarounds to prevent exploitation of the bug include disabling IIS - not really an option for business users who host their website via the software - or preventing access to the FTP service except via trusted addresses.
Should Microsoft be issuing a patch as soon as possible to fix this flaw, or can it afford to wait for thorough testing - even though ne'er-do-wells are using the hole already? Share your thoughts over in the forums