A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.
In a technical bulletin,
the company said it is looking into "public reports of a possible
vulnerability in Microsoft Internet Information Services (IIS)."
The company said that a flaw exists in a certain type of Web serving operation.
"An elevation of privilege vulnerability exists in the way that
the WebDAV extension for IIS handles HTTP requests," Microsoft said.
"An attacker could exploit this vulnerability by creating a specially
crafted anonymous HTTP request to gain access to a location that
typically requires authentication."
Microsoft said it is not aware of attacks using the
The company said it may provide an update as part of its monthly Patch
Tuesday or, depending on the severity, could provide a fix outside of
its monthly patching schedule.
In the meantime, the company listed on its Web site certain
configuration settings that can help mitigate the impact of the flaw.