Security Alerts - February 2008
In this month security bulletin, there are two important bulletins related to IIS, depend on your environment setup, though it is rated as important, you might want to patch it asap. Here's the bulletin details.
Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)
http://www.microsoft.com/technet/security/bulletin/ms08-005.mspx
Take note that for 08-005, it affects IIS 5.0, 5.1, 6.0 and even 7.0 :) (except if you got Vista SP1 or W2k8 RTM), per the bulletin article, IIS 6.0 the vulnerability point is via MSFTPSVC and NNTPSVC.
Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)
http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx
For 08-006, affected IIS version include IIS 5.1 and 6.0. IIS 5.0 running on W2k SP4 is not affected, same apply to Vista and W2k8. The exploit works via on ASP component.
It is worth mention that, together with two bulletins - IIS 6.0 patches/fixes are still relatively low :) I mean you can count it with one hand ? 1, 2, 3, 4! I lost track a bit as this doesn't happen from time to time so not sure when is the last one. Anyway, per search result. IIS 6.0 related - we got 4. The two above + MS06-034 and MS04-030.
There's no critical bulletin for IIS 6.0 up to date and per information from Microsoft, the latest two vulnerabilities are discovered in-house, and not by the bad guys out there.