Only systems that have WebDav enabled are affected by this vulnerability. In addition, attackers must be able to send HTTP requests to the vulnerable system to accomplish an exploit. Depending on system configuration, an attacker may require access to internal networks to connect to a targeted system.
An exploit could allow the attacker to bypass security restrictions and access files stored on a targeted server, which may result in the disclosure of sensitive information. Default IIS configurations restrict the actions that an attacker could perform. Because an exploit only allows the attacker to take actions with the anonymous web account, he or she could only view files that allow IUSR access. The attacker could not write files to IIS folders.
Administrators of sites that are hosting sensitive information on IIS servers that use WebDav are advised to put effective mitigations into place immediately because exploit code is publicly available. However, there have been no public reports of exploits that attempt to leverage this vulnerability.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the June 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for June 2009