Security Experts:

Connect with us

Hi, what are you looking for?



Millions of Websites Affected by IIS 6.0 Zero-Day

More than 8 million websites could be exposed to a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 that has been exploited in the wild since July 2016, researchers warn.

More than 8 million websites could be exposed to a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 that has been exploited in the wild since July 2016, researchers warn.

The bug was found in the ScStoragePathFromUrl function of the Web Distributed Authoring and Versioning (WebDAV) service in Windows Server 2003 R2’s IIS 6.0. The issue, tracked as CVE-2017-7269, resides in the improper validation of an ‘IF’ header in a PROPFIND request and could allow an attacker to cause denial of service or to run arbitrary code.

Discovered by two researchers with the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China, the vulnerability was exploited in the wild in July or August 2016. This week, the researchers published a proof-of-concept on GitHub and revealed that Microsoft has already acknowledged the bug.

The WebDAV extension of the HTTP protocol allows clients to perform remote Web content authoring operations, offering support for new HTTP methods, including COPY, LOCK, MKCOL, PROPFIND, and UNLOCK.

The exploit abuses the PROPFIND method and IF header. The former, Trend Micro’s Virendra Bisht explains, “retrieves properties defined on the resource identified by the Request-URI” and is supported by all WebDAV-Compliant resources, while the latter “handles the state token as well as the ETags.”

According to Bisht, “the vulnerability could be exploited with an overly large ‘IF’ header in the ‘PROPFIND’ request with at least two http resource in the IF header.” The researcher also explains that, while successful attacks could lead to remote code execution, unsuccessful attacks could sometimes lead to denial of service conditions.

Data from W3Techs reveals that Microsoft’s IIS is currently the third most popular web server technology out there, powering 11.4% of all websites. While newer versions of Microsoft’s technology are more popular, IIS 6.0 still accounts for 11.3% of the IIS-powered websites, which results in 1.3% of all websites out there being powered by this version.

According to BuiltWith, however, IIS powers 13.8% of all live websites, while the IIS 6.0 version is used by 2.3% of the entire Internet. This means that over 8.3 million live websites are using IIS 6.0, including tens of thousands of the most popular sites out there. However, the number is constantly dropping.

Disabling the WebDAV service on the vulnerable IIS 6.0 installations can mitigate the risk posed by this vulnerability, Trend Micro’s researcher says. The flaw does not affect newer versions of IIS.

Because IIS 6.0 was included with Windows Server 2003, an old operating system version that is no longer supported by Microsoft, it’s unlikely that a patch will be released for this zero-day.

“Nobody should be running IIS 6 in 2017. This is unsupported and unsafe software and must be upgraded ASAP,” Craig Young, Prinicpal Security Researcher for Tripwire, told SecurityWeek. “All vulnerabilities in this software are going to be zero-day forever and while there may be mitigations for this attack, it is incredibly risky to run obsolete software on the Internet.”

“This issue does not affect currently supported versions. We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection,” a Microsoft spokesperson told SecurityWeek in an emailed statement.

Related: OpenSSL Patches TLS Flaw Exposing Many HTTPS Servers

Related: Shadow Brokers Now Selling Windows, AV Exploits in ZeroNet Marketplace

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet