Microsoft has encouraged the reporting of vulnerabilities after it acknowledged that attacks have been made against an existing problem.
In a blog update, Alan Wallace from the Microsoft security response centre claimed that following an update to the Security Advisory 975191, it was now seeing limited attacks.
Wallace claimed that: “The initial vulnerability was not responsibly disclosed to Microsoft, which has led to limited, active attacks putting customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.”
“This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”
Last week Microsoft released Security Advisory 975191 for a vulnerability that could allow remote code execution on affected systems running the FTP service in Microsoft Internet Information Services (IIS) 5.0, 5.1 and 6.0, and connected to the internet.
The update also includes a new proof of concept published, allowing for Denial-of-Service (DoS) attacks on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service.
Wallace also claimed that a new proof of concept allowing DoS attacks has been disclosed that affects the version of FTP 6 that shipped with Windows Vista and Windows Server 2008. FTP 7.5 is available for Windows Vista and Windows Server 2008, although Microsoft claimed that FTP 7.5 is not vulnerable to any of these exploits.