Bulletin Severity Rating:Important - This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user. Successful exploitation of these vulnerabilities would still restrict the attacker to the permissions granted to the anonymous user account by the file system ACLs.

View original here: 
MS09-020 - Important: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)

Tags: a-given-user-, a-malformed-record, access-control, given-user-, privately-reported, restrict-the, security-update, the-anonymous, the-permissions, user-account, windows-search

This entry was posted on Tuesday, June 9th, 2009 at 4:00 am and is filed under Microsoft Security Bulletins. You can follow any responses to this entry through the RSS 2.0 feed.