Microsoft Internet Information Services Two Information

by Carol~ Moderator - 11/13/12 2:01 PM

In Reply to: VULNERABILITIES / FIXES - November 13, 2012 by Carol~ Moderator

Microsoft Internet Information Services Two Information Disclosure Vulnerabilities

Release Date : 2012-11-13

Criticality level : Moderately critical
Impact : Exposure of sensitive information
Where : Froom remote
Solution Status: Vendor Patch

Software: Microsoft Internet Information Services (IIS) 7.x

Description:
A security issue and a vulnerability have been reported in Microsoft Internet Information Services, which can be exploited by malicious, local users and malicious people to disclose certain sensitive information.

1) The security issue is caused due to the server not properly restricting access to certain log files and can be exploited to gain access to usernames and passwords of configured accounts.

Successful exploitation of this security issue requires that Operational log for IIS is enabled (disabled by default).

2) An error within the IIS FTP service when negotiating encrypted communications channels can be exploited to execute certain FTP commands and disclose certain information.

Solution:
Apply updates.

Provided and/or discovered by:
1) The vendor credits Justin Royce, ProDX.
2) Reported by the vendor.

Original Advisory:
Microsoft (KB2733829, KB2716513, KB2719033):
http://technet.microsoft.com/en-us/security/bulletin/ms12-073

http://secunia.com/advisories/51235/