HomeWinBuzzer NewsMicrosoft Internet Information Services 6.0 Zero-Day Vulnerability Discovered

Microsoft Internet Information Services 6.0 Zero-Day Vulnerability Discovered

The proof of concept exploit in Internet Information Services 6.0 could allow attackers to access machines through websites. Despite being out of support since 2015, IIS 6.0 is still used by millions of websites.


A new zero-day vulnerability targeting Internet Information Services 6.0 has been published on GitHub. The proof-of-concept exploit allows to execute malicious attacks on any running IIS 6.0.

Admittedly, Microsoft openly stopped supporting Internet Information Service 6.0 in July 2015. This cut off coincided with the end of support for Windows Server 2003. The company, as always, advised users still on IIS 6.0 to upgrade to newer versions.

However, it is still estimated that millions of websites still use the outdated software. Windows Server 2003 still has a sizeable footprint, meaning IIS 6.0 is still on corporate networks. Researchers from Trend Micro says the vulnerability has probably been known to attackers since last summer.

Until now, the number of hackers who knew about it was limited. That will undoubtedly grow now that it has been published on GitHub.

“Other are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code,” Trend Micro said in a blog post.

The vulnerability is a buffer overflow in the ScStoragePathFromUrl function of the IIS 6.0 WebDAV service. Microsoft is very unlikely to send out a fix for this considering Internet information Service 6.0 support has ended.

Vulnerability Details

Trend Micro says this is a typical buffer flow issue. Attackers could exploit the flaw through a overlay large ‘IF' header in the ‘PROPFIND' request with two or more http recourses. While there is no guarantee that the exploit will work, if it does an attack could cause a denial of service conditions.

“The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.”

Microsoft has yet to say anything about this vulnerability, and the company may not even issue a statement. We will wait and see.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News