Hi all,

There are two security patches out this month for IIS.

The first (MS08-005) affects Windows XP x86 (IIS 5.1), Windows XP x64 (IIS 6.0), Windows Server 2003 (IIS 6.0) and Vista RTM (IIS 7.0). Vista SP1 and Windows Server 2008 are not affected. This is a local escalation of privilege vulnerability, and requires that the attacker be able to access a server locally, or be able to somehow execute code locally (e.g. by placing a file that contains the necessary code on the server, and then have the server run that code from a remote location)

The second (MS08-006) affects Windows XP (x86/x64) and Windows Server 2003, and is a remote code exploitation. It does require that the ASP web service extension be enabled on Windows Server 2003.

Whilst it's always disappointing to see new bugs in IIS, I think the overall record of IIS 6.0 has been very good. Since it's release in early 2003, we've seen only a handful of bugs that are directly IIS' fault (e.g. the previous ASP issue), and handful of bugs that can be exploited via IIS (e.g. the previous WebDAV issue). Overall, there are less than 5 bugs exploitable via IIS 6.0 - which is a great record especially when compared with IIS 5.0 and with its major competitors.