Microsoft Security Patch Release September 2009 Advance Notification - and IIS Vulnerability
Microsoft have announced that they will be releasing five bulletins next week with the September Security Update release. All five bulletins are expected to be rated as Critical and will be for core Windows components.
Not all of the supported Windows versions will be affected by the updates equally, with each version having at least one update that will not be applicable to it.
Microsoft will not be releasing an update for the publicly disclosed vulnerability affecting the FTP service associated with IIS (Internet Information Service) 5.0, 5.1, 6.0. Public exploit code is readily available, however Microsoft have not seen any attacks related to exploitation of the vulnerability at this stage. They have published an Advisory for administrators and end users who may be affected by the vulnerability and have launched their Software Security Incident Response Process (SSIRP) to rapidly develop and release an appropriate patch, though no date has been set at this stage. Concerned administrators can apply the workarounds provided in the Advisory for mitigation against attacks.
The FTP vulnerability is triggered when the service attempts to display excessively long directory names, and requires somebody to have logged in (anonymously or with an account) and create an appropriate malicious directory.
Further Microsoft guidance can be found at the Security Research & Defense blog.
4 September 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.