Fixes for several IIS issues released in September 2010 patch cycle

We just released a bulletin this September that addresses three IIS vulnerabilites. Two of these were responsibly discolsed, while one was publicly disclosed. The bulletin is on  http://www.microsoft.com/technet/security/bulletin/MS10-065.mspx and contains the mitigations and workarounds in each case. The knowledge base articles for each of the three vulnerabilities are linked below and contain affected platform information.

CVE-2010-1899 [classic ASP]: Denial of Service:  http://support.microsoft.com/kb/2124261/

CVE-2010-2730 [fastCGI]: Remote Code Execution:  http://support.microsoft.com/kb/2271195/

CVE-2010-2731 [Authentication]: Elevation of Privilege: http://support.microsoft.com/kb/2290570/

No Comments