The Vole says an exploit, which was discovered on December 15, 2006, and made public at the end of May, is actually a feature.
Apparently versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorised user to nick documents.
The Internet Storm Centre says that hackers have not used this exploit to take over systems to date, that could well change. Especially now we've told them about it.
The Vole has written up the problem in its Knowledge Base article 328832. Apparently, hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.
Security experts are a bit stunned at the Volish attitude. Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit. In otherwords Vole is telling the world how to exploit products being used by their customers.
The official Volish line is that all users should upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security, it says here.
And here. µ
Sign up for INQbot – a weekly roundup of the best from the INQ