Microsoft Promises IIS Bug Patch

Microsoft Corp. last week disclosed that it is working to fix a bug in its popular Web server software, but observers say the patch is unlikely to be ready in time for Tuesday's regular monthly patch release.

Microsoft last Tuesday issued a formal security advisory for the vulnerability in three older versions of its Internet Information Services server, a day after the exploit code went public.

On Wednesday, it issued the advisory that the patch was in development.

As a result of the flaw, IIS's FTP server fails to properly parse specially crafted directory names, allowing hackers to force a stack buffer overflow and then inject malicious code onto the Web server.

In the short term, Microsoft urged administrators responsible for IIS 5.0, 5.1 and 6.0 Web servers to make one of several suggested defensive moves, any one of which will stymie the currently known exploits.

This version of the story originally appeared in Computerworld's print edition.

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon