Microsoft has confirmed that a vulnerability in its Internet Information Services (IIS) platform is being used for ‘limited attacks’ on the servers it’s running on.
Microsoft disclosed the vulnerability on Monday. the company said on Friday that it is still working on resolving the problem. Meanwhile, the users are recommended to follow the advisory issued by Microsoft.
According to the advisory, the vulnerability could allow remote code execution (RCE) on systems using FTP on IIS 5.0 or denial-of-service attack using FTP on IIS 5.0, IIS 5.1, IIS 6.0, or IIS 7.0. The present version 7.5 isn’t affected, though, and FTP 7.5 can be downloaded and installed on IIS 7.0 to protect it.
“Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits,” said Alan Wallace, senior communications manager for Microsoft’s security response communications team, in a statement.
Initially, the company said it was investigating a vulnerability only with versions 5 and 6 of IIS.