IIS6 reported yesterday WebDAV vulnerability appeared today on the foreign media have reported that hackers will exploit this vulnerability the United States, Indiana Ball State University's server has been hacked. Hackers have not wasted a little bit of time, because the published and exploited loopholes in the time of Monday, only a difference of several hours. As of Tuesday, local time, the university still has not repaired the server successfully, Thursday or Friday is expected to be fully restored.
U.S. computer emergency response team recently revealed that last week, found loopholes in IIS6 WebDAV has been used in the attack, computer security experts by Nikolaos Rangos loopholes can be found a fake HTTP request, view and upload files to IIS6 servers, attacks Microsoft used the process of dealing with Unicode token loophole.
Microsoft said in a statement, have not yet heard of the occurrence of such attacks, but they are being observed, and provide security consultancy to provide users with help. Vulnerability affects only those in the IIS6 enabled system WebDAV protocol, WebDAV used to share documents on the Web.
Attacks will not be required to authorize, see the documents that the server and upload files to the server, Thierry Zoller of independent security experts confirmed the discovery of Rangos, but Zoller said he also did not find the server can be attacked in the run method of any malicious programs. Zoller said, IIS5 and IIS7 will not be affected at present, but Microsoft's other products using WebDAV may also be at risk. He suggested that the user prior to receipt of Microsoft's patch to disable WebDAV protocol.
Rangos said in the interview, the use of the WebDAV technology Exchange server and SharePoint server not under threat.
Cisco made a similar security warnings, they said in a published in the official website of their own security warning that those who use the IIS6 WebDAV technology, and site sensitive documents site administrator should take steps, because the attack code has been available to the public.
没有评论:
发表评论