Look want Santa left under the tree
Over Christmas there were reports of a zero-day
vulnerability affecting Microsoft Internet Information Services filtering their
way back to Redmond.
Microsoft says it is investigating the matter, and has
found so far that only certain configurations of IIS are vulnerable to
attack. Details of the vulnerability came out December 25 when
security researcher Soroush Dalili posted information about the bug on
his
Website.
Security outfit Secunia said that the vulnerability is
caused by the Web server "incorrectly executing ASP code included in a
file having multiple extensions separated by ';', only one internal extension
being equal to '.asp' (e.g. 'file.asp;.jpg').
Apparently this can be exploited to potentially upload
and execute arbitrary ASP code via a third-party application using file
extensions to restrict uploaded file types. IIS can execute any extension as an Active Server Page
and many file uploaders protect the system by checking only the last section of
the file name as its extension. And by using this vulnerability, an attacker
can bypass this protection and upload a dangerous executable file on the
server.
Although Dalili claims the vulnerability is critical,
others are a bit more laid back about it.