Over Christmas there were reports of a zero-day vulnerability affecting Microsoft Internet Information Services filtering their way back to Redmond.

Microsoft says it is investigating the matter, and has found so far that only certain configurations of IIS are vulnerable to attack. Details of the vulnerability came out December 25 when security researcher Soroush Dalili posted information about the bug on his Website.

Security outfit Secunia said that the vulnerability is caused by the Web server "incorrectly executing ASP code included in a file having multiple extensions separated by ';', only one internal extension being equal to '.asp' (e.g. 'file.asp;.jpg').

Apparently this can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types. IIS can execute any extension as an Active Server Page and many file uploaders protect the system by checking only the last section of the file name as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.

Although Dalili claims the vulnerability is critical, others are a bit more laid back about it.