Measure yourself when bashing MS, please

A severity of a bug is not only related to how difficult is to exploit it (and this is a trivial one) It is also inversely proportional to how long it has been there without being exploited or discovered.

Since II6 was launched as part of W2003, that makes this bug something like six years old. So, yes, it probably should not have passed testing. But no, it was not that easy to discover or else it would have been found on the wild already.

El Reg, next time you could have saved me from browsing the IIS site just to know this fact. I understand that until you offshore the actual journalism so that you can focus on your core competencies (more playmobil reconstructions, please) this is something that probably is too much to ask from your limited resources. But I prefer not to browse sites that offer me an upgraded experience if I install SilverLight when using Firefox under Ubuntu.

@AC 18:10

More to the point, how did it get past testing at MS _and_ then all around the world for something like six years? Methinks there is something else going on here as well.

allready fixed

That is, the floodgates were closed long ago: nobody has this feature enabled. There seems to be some disagreement at present about if it affects IIS5. Windows 2000 servers with IIS5 may still have Webdav running. If that is the case, those running their own web page in-house on Windows 2000 Server should turn off WebDav. Any other remnants who have deliberately exposed webdav to the public internet (a tiny and odd minority) can add urlscan (technet.microsoft.com/en-us/security/cc242650.aspx) to sanitise webdav requests.

Very few people expose their file systems to WebDav. Only a tiny tiny minority of those use WebDav to expose their file system to the public internet, and are potentially affected by this.

@david

If it requires doing things not-in-the-default-way it's a fair bet the vast majority of Windows servers are set to their defaults.