MS12-073 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure
2012-11-13 This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The more severe vulnerability could allow information disclosure if an attacker sends specially crafted FTP commands to the server.
Vulnerabilities addressed in this bulletin:
Bulletin details at Microsoft.com
Vulnerabilities addressed in this bulletin:
- Password Disclosure Vulnerability
- An information disclosure vulnerability exists when Microsoft Internet Information Services (IIS) fails to properly protect log files.
CVE-2012-2531 - FTP Command Injection Vulnerability
- An information disclosure vulnerability exists in the way that Microsoft Internet Information Services (IIS) FTP Service negotiates encrypted communications channels.
CVE-2012-2532
Bulletin details at Microsoft.com
Related CVE Entries
Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability."
Max CVSS
2.1
EPSS Score
0.04%
Published
2012-11-14
Updated
2021-02-05
Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) processes unspecified commands before TLS is enabled for a session, which allows remote attackers to obtain sensitive information by reading the replies to these commands, aka "FTP Command Injection Vulnerability."
Max CVSS
5.0
EPSS Score
0.36%
Published
2012-11-14
Updated
2021-02-05