<< Back
CVE Number Vulnerability Product Severity Date
MS09-020 Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) Microsoft Windows Critical 10-06-2009

Technical Information

Brief overview of the risk:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user.
Detailed Information on the risk:
An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that should require authentication. Further information on this exploit is available at : MS09-020

Affected Software

Microsoft Windows 2000 Service Pack 4
Windows XP Professional Service Pack 2 and
Windows XP Professional Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems