Microsoft Security Advisory 971492

I wanted to let you know that we have just posted Microsoft Security Advisory (971492).


This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege.  Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.


At this time, we are not aware of any known attacks that attempt to use this vulnerability.


An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.


Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.


To better help understand the issue, Microsoft security experts have provided additional technical details on the Microsoft Security Research & Defense blog.

We have activated our Software Security Incident Response Process (SSIRP) and we are continuing to investigate this issue.  In addition, we are actively working with partners in the Microsoft Active Protections Program (MAPP) and the Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers. 


Christopher Budd


 *This posting is provided "AS IS" with no warranties, and confers no rights.*

Comments (7)

  1. Anonymous says:

    Microsoft warnt im Security Advisory 971492 (deutschsprachig) vor einer Sicherheitslücke im "Internet Informations Server" (IIS), falls auf dem IIS WebDAV aktiviert ist. Der IIS 5.1 steht unter Windows XP Professional als optionale Komponente zur Verfügu

  2. Anonymous says:

    [English version below: " Microsoft Security Advisory 971492 related to IIS " ] E’ stato emesso

  3. Anonymous says:

    Update to bilingual still in process! Aggiornato il 19/05/2009 ore 15:00 – Updated on May 19, at 3:00

  4. Anonymous says:

    Microsoft has released advisory 971492   about an Elevation of Privilege issue with the WebDAV extension

  5. Anonymous says:

    Actually this was last evening but in case you missed it here are the details from the MSRC blog: This

  6. Anonymous says:

    The first link below is especially good in providing an FAQ IIS 5/6 Vulnerability – WebDAV FAQ and Workarounds

  7. Anonymous says:

    The first link below is especially good in providing an FAQ IIS 5/6 Vulnerability – WebDAV FAQ and Workarounds

Skip to main content