May 28 — Microsoft on Wednesday issued a pair of security alerts addressing potential flaws that could make its software vulnerable to attackers. The highest rated of the two bulletins includes a patch that fixes four separate vulnerabilities in Microsoft’s Internet Information Services (IIS) software. That alert, rated “important,” addresses vulnerabilities that could make servers running the software vulnerable to a denial-of-service attack. “WE DEFINITELY WANT everyone who is running IIS 4.0, 5.0 and 5.1 to install the patch,” said Microsoft program manager Stephen Toulouse. However, IIS 6 and Microsoft Windows Server 2003 are not affected by the flaws, he added.
(MSNBC is a Microsoft - NBC joint venture.)
A second bulletin, rated “moderate,” addresses a vulnerability in Windows Media Services that, if exploited, could result in a denial-of-service attack. The bulletins are Microsoft’s 18th and 19th security warnings of the year.
Of the four issues addressed in the combination patch, the most serious vulnerability is one in the WebDav service that IIS uses for authoring. If exploited, the flaw could cause a server running IIS to stop responding to requests. That vulnerability exists in versions 5.0 and 5.1 of IIS, but not in version 4.0.