Microsoft IIS Servers Vulnerable to FTP Attack

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

A critical flaw in the FTP component of Microsoft Internet Information Service (IIS) can allow an attacker to execute malicious commands on a server, Microsoft warned in a new security advisory.

According to a Microsoft Security Research & Defense post, if a vulnerable IIS 5.0 (Windows 2000), 5.1 (XP) or 6.0 (Server 2003) FTP service attempts to list a "long, specially-crafted directory name," a stack overflow will occur that can allow for remote code execution. IIS 7.0 (Vista, Server 2008) is not vulnerable, according to the post.

To be hit, "an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory."

There is not yet any patch available, and Microsoft says it has seen "detailed exploit code" available online, though it hasn't yet seen any active attacks. Microsoft's post lists workarounds for the time being, including how to prevent anonymous FTP users from being able to create directories.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
  
Shop Tech Products at Amazon