Security experts are warning of a highly critical new zero day vulnerability
in Microsoft’s popular Internet Information Services (IIS) web server product
which could allow hackers to bypass existing security measures and upload
malicious code to any affected machine.
Security researcher Soroush Dalili warned in a research note that the
vulnerability affects IIS 6 and earlier versions, although IIS 7 has yet to be
tested and version 7.5 is safe.
“IIS can execute any extension as an Active Server Page or any other
executable extension. For instance “malicious.asp;.jpg” is executed as an ASP
file on the server,” he explained.