Microsoft Security: IIS Vulnerability, Leaked Office 2010 Tech Preview Infected
Two pieces of security news to report from the Microsoft camp: the first one is that IIS (Internet Information Services) is plagued by a 0-day vulnerability that if exploited by a person with malicious intent via a specially crafted anonymous HTTP request could allow the attacker access to locations that require authentification; the second is that the leaked Office 2010 Technical Preview is infected with malware (similar to the leaked Windows 7 RC versions which were infected by a Trojan which attempted to build a botnet – details here).
Security Response Communications Lead with Microsoft, Christopher Bud, comments on the IIS vulnerability: “wanted to let you know that we have just posted Microsoft Security Advisory (971492). This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege. Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information. At this time, we are not aware of any known attacks that attempt to use this vulnerability.”
According to Christopher Bud, the issue is caused by an elevation of privilege vulnerability that affects the way the WebDAV extension handles HTTP requests. Access to locations that regularly require authentification can be obtained by someone who uses an anonymous HTTP request to exploit the vulnerability. A patch for this security vulnerability will be provided by the Redmond-based software developer as part of its Patch Tuesday program; if the vulnerability will be actively exploited, then Microsoft will issue an out-of-date patch.
The Technical Preview version of the upcoming Office 2010 productivity suite that has been leaked and is available for download via torrent sites also poses a security risk to your PC. It seems the software is infected with viruses – this information was acknowledged by the Office 2010 team.
“I wanted to […] acknowledge the information that you have seen today around bits of Office 2010 being leaked. While all of us here are happy to see the incredible excitement and engagement (and are absolutely chomping at the bit to reach the July milestone) we aren’t quite ready to release the technical preview bits. I would encourage all of you to wait until the official bits are available to ensure the best possible experience and not miss out on anything we may include. As a heads up, because we want to ensure our customers are safe, we have been monitoring various torrents and already detected quite a few that were infected. Please be aware that if you download this torrent there is a very good chance you are also getting some unexpected malware with it,” explained Office TPM, Reed Shaffner.
Security Response Communications Lead with Microsoft, Christopher Bud, comments on the IIS vulnerability: “wanted to let you know that we have just posted Microsoft Security Advisory (971492). This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege. Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information. At this time, we are not aware of any known attacks that attempt to use this vulnerability.”
According to Christopher Bud, the issue is caused by an elevation of privilege vulnerability that affects the way the WebDAV extension handles HTTP requests. Access to locations that regularly require authentification can be obtained by someone who uses an anonymous HTTP request to exploit the vulnerability. A patch for this security vulnerability will be provided by the Redmond-based software developer as part of its Patch Tuesday program; if the vulnerability will be actively exploited, then Microsoft will issue an out-of-date patch.
The Technical Preview version of the upcoming Office 2010 productivity suite that has been leaked and is available for download via torrent sites also poses a security risk to your PC. It seems the software is infected with viruses – this information was acknowledged by the Office 2010 team.
“I wanted to […] acknowledge the information that you have seen today around bits of Office 2010 being leaked. While all of us here are happy to see the incredible excitement and engagement (and are absolutely chomping at the bit to reach the July milestone) we aren’t quite ready to release the technical preview bits. I would encourage all of you to wait until the official bits are available to ensure the best possible experience and not miss out on anything we may include. As a heads up, because we want to ensure our customers are safe, we have been monitoring various torrents and already detected quite a few that were infected. Please be aware that if you download this torrent there is a very good chance you are also getting some unexpected malware with it,” explained Office TPM, Reed Shaffner.
