A software bug in a common component of Microsoft Web servers and Internet Explorer could leave millions of servers and home PCs open to attack, security researchers said Wednesday.
The vulnerability, found by security company Foundstone and confirmed by Microsoft, could allow an Internet attacker to take over a Web server, spread an e-mail virus or create a fast-spreading network worm.
"There are millions of systems and clients that will be affected by this," said George Kurtz, chief executive of Foundstone. "This is huge."
It likely affects the majority of the more than 4.1 million sites hosted on Microsoft's Internet Information Service (IIS) software. In addition, millions of Windows 95, 98, Me and 2000 PCs could also be vulnerable to the software bug.
Microsoft rated the flaw as critical under its new vulnerability evaluation system that is intended to lessen the number of flaws that receive a "critical" rating to help administrators identify the most important vulnerabilities to patch.
"There is a possibility that it might be wormable," said Lynn Terwoerds, security program manager for Microsoft's security response center. "It is clearly critical...we want the patch uptake to be really high."
[Humble mode on]Thanks to xStainDx for the heads up that nekrosoft13 had already posted this in Neowin's Security Bulletins, Patches and Updates Forum, a cardinal sin for a newsposter not to search his own site really. Sorry guys. Also, I'd like to remind members to post in there if they come across any new security bulletins that may be of note to others.[Humble mode off]
News source: MS bug exposes millions to attack