![[H]ardOCP](/images/blank.gif){kind=small}
Results of Investigation into Holiday IIS Claim
Microsoft has completed its internal investigation into claims of a new IIS vulnerability and found that there are no problems aside from poorly configured servers.
The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both "write" and "execute" privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.