Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Microsoft IIS vulnerabilities could allow information disclosure


Report ID: MS201211003
Date Published: 14 November 2012

Criticality: Moderate
Compromise Type: information-disclosure
Compromise From: local-system


Affected Product/Component:

Windows FTP Service 7.0 for IIS 7.0
Windows FTP Service 7.5 for IIS 7.0
Windows FTP Service 7.5 for IIS 7.5
Internet Information Service 7.5




Summary

Two vulnerabilities in Microsoft Internet Information Service (IIS) could each lead to information disclosure.



Detailed Description

Microsoft has issued a security update to address two vulnerabilities reported found in Microsoft Internet Information Service (IIS). One vulnerability was caused by failure to properly protect log files, while the other exists because of the way IIS handles FTP commands. Each vulnerability could allow the attacker to view protected information upon successful exploitation, but to exploit them, the attacker must be able to log on to the local system.

Both vulnerabilities can be patched by downloading the latest update from Microsoft. The update introduces modifications in the way that IIS manages log files' permissions and the way that FTP commands are handled. Users are recommended to install the latest update to protect their system from potential exploit attempts.



CVE Reference

CVE-2012-2531, CVE-2012-2532



Solution

Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-073)




Security Advisories

For a list of known vulnerabilities affecting F-Secure products and the released fixes, please refer to the Security Advisories page.