Internet Information Services
Microsoft web server software.
1,584 questions
Vulnerability CVE-2008-1446
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 8%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERU%3C/text%3E%3C/svg%3E)
Rehman, Umar 12/31/2022
1
Reputation point
We are running window server 2008 standard edition with SP2. Our security team has run a PCI Pen test on our web server and it came up with the report mentioned below.
Our sites are hosted on IIS 7.0 .
We have tried installing security patch KB953155 but it is only available to server with SP1 installed.
Is CVE-2008-1446 related to a site hosted on IIS 7.0 or this is something related to printing service running on the server ?
What are our options here?
PCI Pen Test Report
Description and Observation (xyz is a company name here)
A XYZ system was running Windows IIS Server version 7.0 which is affected by known vulnerabilities.
Business Impact
An attacker could potentially exploit the identified vulnerabilities to gain unauthorized access to the remote system, execute malicious code or cause a
DoS condition. This in turn could provide opportunity for a threat actor to gain internal access to resources, distribute malware or gain the ability to perform
website defacement. Code to exploit one of the security vulnerabilities affecting Windows IIS Server 7.0 is publicly available.
Affected URL
● our_site_hosted_on_iis.com
Affected CVE
● CVE-2008-1446
Recommendation(s)
XYZ should consider reviewing the security advisories associated with the application to determine the extent of which the server may
be vulnerable from a versioning and configuration perspective. Improve the current patch process to install the appropriate software upgrades as
described in the vendor’s advisories on a timely basis. Additionally, improve functional vulnerability scanning to identify and remediate these issues.
{count} votes
-
Lex Li (Microsoft) 4,742 Reputation points Microsoft Employee2021-03-19T00:59:15.39+00:00 Windows Server 2008 reached end of life a long while ago, so you have no option but to upgrade.
-
Rehman, Umar 12/31/2022 1 Reputation point
2021-03-22T13:26:46.25+00:00 We have a valid support contract with Microsoft.................
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor2021-03-23T08:47:30.687+00:00 @Rehman, Umar 12/31/2022 I also recommend that you upgrade Windows Server, because Microsoft has end of support for Windows Server 2008. End of support for Windows Server 2008
-
Rehman, Umar 12/31/2022 1 Reputation point
2021-03-23T11:04:41.73+00:00 I can understand that Windows Server 2008 is out of support but what Microsoft can offer us with the support contract we have with them ?
-
Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor
2021-03-24T07:19:38.02+00:00 @Rehman, Umar 12/31/2022 You can try to consult the Windows Server team.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Reza-Ameri 16,836 Reputation points2021-04-21T17:20:09.08+00:00 Check with your the contacting point in Microsoft and see if you have licensing agreement to upgrade to the latest version of the Windows Server?
Sign in to comment