Slashdot Mirror
Remote 'Root' Exploit in IIS 5.0
eEye Digital Security
was doing some testing that apparently Microsoft hadn't done on its own webserver (IIS 5.0) running on its latest OS (Windows 2000, all versions). "Within a matter of minutes," they say, "a debugger kicked in on inetinfo.exe because of a 'buffer overflow error'" -- and two weeks later, we got simultaneous announcements from Microsoft and eEye. This is a remote SYSTEM-level exploit in a popular webserver, in the wild, i.e., Danger Will Robinson. eEye says about a million servers will need to be patched;
it may be more.
Go see
Microsoft's writeup and patch.
See also
eEye's droll and informative writeup,
which, now that an exploit is confirmed to be in the wild today, has added some source code.
I can excuse holes in IE letting attackers mess up win98 because it's in single user mode all the time, but NT? There's A CHOICE to run programs as 'root' or as a user. For NT and IIS there is no acceptable explanation other than Microsoft saying "We fucked up bigtime."
Dude, if iis 5 didn't have a few remote exploits, so many script kiddies would be out of a hobby. Thank god the proud tradition of most easily defaced webserver continues at microsoft!
Don't be a jerk. Hell I heard the story on NPR this morning and was amazed to see how long /. took to post it.
IIS does some sort of file locking or caching in kernel (probably similar to what khttp does), and that's all. IE runs entirely user mode on NT.
Thanks for FUDing, please drive thru.
Have to configure a service? I beg to differ. My boxes get portscanned a couple dozen times a day. About a third of those scans appear to be coming from Redhat default server installs that were compromised by scripts running on some other Redhat default server install that was compromised by scripts running on some other Redhat default server install that was ...
I hold Redhat responsible for all these portscans to the same extent that I hold Microsoft responsible for the hundreds of Outlook viruses that have appeared in my inbox. Fortunately, neither affects me much, but I know they affect others.
eEye. eEye? Oh...
Yes! WE chinese hackers have modified hundreds of USA web servers' Index.html etc...! Most of them are Windows NT 4 or 2000 LOL Microsoft makes the difference!!!!
2.2.16 was a local exploit only, bad, but nothing like a remote root exploit.
BIND is not enabled by default on most distros.
This is news because it is the worst kind of security hole possible, and its exploitable on a default version of win2000.
An exercise for the reader: modify the exploit given to install a DDoS client, and then write a PERL script that trys the exploit against sequential IP addresses.
The kiddies are falling over each other doing exactly that. The exploit has been out for a few days or so, and I've ALREADY got firewall logs of someone scanning my entire class C for it! This will no doubt end up being even bigger than the rpc.statd in redhat 6.2 exploit in terms of mass exploitation for DDoS purposes.
Frankly, this language choice shows that there's someone at Microsoft with their brain turned on. If nothing else, doesn't seeing this use of pronouns make you stop and think about your preconceptions?
Also, I am a bit annoyed with assumption that if it ever were possible to create a security problem that could only be exploited by female attackers, this security problem would then automatically be minor, since the women obviously are no threat. Not only would many women I know find that attitude insulting, underestimating someone because of their gender can be downright dangerous.
Yeah, I know I'm overanalyzing a joke, which one of the lamest things around; there's I reason this is anonymous. Suppose however that it was discovered that servers painted darker colors ran poorer because they kept overheating, and that in some cases painting a server white made it work better. Would you even _think_ of posting something along the lines of "so _that's_ why my black/hispanic/vietnamese co-workers are so damn lazy"? I mean, maybe some anonymous coward would, but that comment would get moderated into oblivion faster than a speeding mouse. That this got a 5 is just more evidence that way, way too many people have moderator points.
Will the 'fix' from Microsoft involve IIS running with user level privs? I betcha it won't.
Actually the restart feature applies to all W2K services. You specify what to do on the first and second explicitly, and then on subsequent. The options are to restart service, reboot computer, take no action, or run an external program (such as a pager alert program). By default it is set at take no action, meaning the service dies and stays dead until manually restarted.
CmdrSprk writes: Another MS Bug FA-MSP Editor Biachezzzz!!!!! I 0wn3z j00! Sporks rule!
This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
Only females can exploit this hole!*
*Not to be taken out of context
actually, it's not quite so easy. i wrote the exploit, and inititally looked at creating a fix as the initial exploit and ran into the following problems: 1. deleting the file: if you delete the printer dll, it is replaced by the copy in dllcache. if you delete the one in dllcace, it gets replaced by the original. if you delete both at the same time, it then asks for the original install media. self healing files are cool until they reintroduce the problems. 2. removing the extension: there isn't a really easy way to deal with the metabase(the registry like structure used in dealing with iis) using asm 3. size: writing an exploit with around 400 bytes, taking into effect that you have to load addresses and data and have some boot strap code, not to mention that you have to split your code into 2 segments because the buffer overflows right in the middle. if anyone has questions as to why, or how, let me know. i'd be more than happy to explain both to serious inquiries. ryan permeh, ryan@eeye.com
- A.P.
--
Forget Napster. Why not really break the law?
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Yes, that is exactly how it works, it starts as root so it can bind to port 80. After this it drops its uid and gid back down to whatever is specified in the configuration usually nobody:nobody.
Remote exploits are gaping holes. Using non-root authority to leverage root authority (which was the bug fixed in 2.2.16) is merely a hole, not a gaping one. These are two entirely different classes of security problems. Remote exploits are cause for sounding the alarms. Besides, nobody has said that linux (or a linux application) has never had such a bug. You're setting up straw man arguments to lure careless moderators into throwing "Insightful" points at your insightless post.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
No, the install should simply be secure by default. I would apply the same standard to Linux distributions, and they often fail the test. Microsoft isn't alone here but I don't think this makes it "right". It just makes it common.
Anyone running printer services over the Internet on a server is an utter moron
True, if s/Internet/web/ . But what else can Microsoft do? They're losing SMB print server share to Samba, so they've got to start using something else.
Maybe someone should start a pool on when Microsoft will be removing SMB printing capabilities from their desktop OS...
Indeed - if we are to believe tallying the number of entries in each category given on the security focus page you mention, it would seem that "input validation" is the most common type of security error.
Looking at those vulnerabilities though leads me to conclude that "input validation" is too broad a category - unfortunately, I'm not sure how to divide it up.
That is only if things are running properly.... I assume the big deal about the bug is that it breaks IIS before it has the chance to change to the IWAP_machinename, so the buffer overflow exploit gets executed as system. If I'm wrong let me know...
Kill'em! Kill'em all!
The whole problem would no nowhere as bad if IIS isn't running as system. This is definitely a fault of Microsoft because it wanted things to be nice and easy integrating the NT security with IIS. I can't remember any Linux/BSD distribution installing Apache as root. On NT/Win2000 every service and its dogs run as system, and any of them having a buffer overflow bug would leave the entire system open to sack and pillage.
It needs to be said that there are equivalent stuff on Linux: Most distributions have a BIND package that runs as root, WU-FTPD as well...
Kill'em! Kill'em all!
Lots of people use the feminine pronouns that way. If you say "he", feminists will bite your head off for "assuming that everyone is male", but if you say "she", everybody (except you, apparently) knows that a guy could be doing the same thing. Using she is more convenient than using she/he, or even s/he. Other ways of trying to weasel out of using words with a gender, like using "they", aren't as good. One usually ends up being grammatically incorrect when using "they", because it's plurar and one is trying to talk about a single person. (notice how I used "one" to make that last sentence work? It's not very easy to use either).
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
There is no such language as C/C++ - there's C, and there's C++. C++ programmers use string classes. The standard library for C++ includes a pretty good string class (actually a template class that can be used for byte strings and wide character strings).
That's a local (not remote) root exploit in a not-commonly-installed tool.
That's a remote unprivileged-user (not root) exploit in a not-commonly-installed application.
That's a local (not remote) non-root exploit in a not-commonly-installed application.
That's, um, a DoS against Novell Border Manager.
I know it's fun and easy to bash Slashdot for being anti-Microsoft, especially when we report security news, but we don't ignore open-source problems and we only report vulnerabilities which are of pressing and widespread concern.
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
About This is the not everyone is going to patch thier server some and then cry like a fool when the get hacked. Despite the fact they are many people out there take thier security seriously alot more do not. (I had this happen to a friend where the hosting company did not apply a patch that 6 months old. Well have fun patching and rebooting :)
This exploit is more serious than the others you've listed. It's a remote root exploit, and it affects people who take the out of the box installation.
/.
A comparable Unix exploit would have been the recent BIND fiasco. And that got good coverage on
I get tired of MS bashing too. But I think there's a lot less of it here than there used to be. The article about Easel and Ximian took a lot of heat, but I think it was a healthy thing to post. We're still a long way away from looking at the ethics of some of the Linux IPOs, but it's a start.
This is a big security problem, and it was made worse by some questionable design decisions (automatic restarts, etc.). But the effect isn't really any worse than the recent BIND exploits.
And you could argue, as perhaps the OpenBSD guys might, that by not advising people to run BIND in a chroot jail, the ISC guys are being less responsible than MS, which has published security guidelines that protected the users who followed them from this particular exploit.
But what good does that do? The reality is that both Linux and Windows have their share of security problems. MS has a long list of bad decisions from a security point of view, but we have things like linuxconf. Sacrificing security for convenience isn't just a MS thing. And there are plenty of buffer overflows to go around.
We need to encourage everyone to think about security more seriously. We need to get companies to think about security from the beginning, instead of trying to bolt it on in the end. And we need to make sure that they respond quickly when problems do arise.
This just isn't a Linux vs. MS situation.
crawling or limping is a feature ...
Freaker / TuC
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Language does evolve. It is not because some
stupid rules were adopted at one time that
they should remain. People decide how they
will speak and if they so choose the language
changes and so will the rules.
That rules of the gender choice is illogical
and should be as we do in French and Spanish
which is whatever sounds the best according
to the way the words are spelled. A "table" is
feminine while a "lit" is masculine.
So, a new BIG, HUGE and FAT HOLE in ISS is published... Patch ready... So patch fast if you love IIS so much. However it seems that today the large majority of sysadmins don't read bugtraqs. Anyway this is sure for the very large majority of Windows users. The history of this system has shown that there is a chronical and traditional carelessness for security, starting on m$ and ending on the user himself.
So soon there will be news on how another Pentagon server was screwed up, on how another major corp had his finances washed up and how another major pop-website with tons of kitch and whoolaprizes is "temporarly unavailable".
And who should be blamed for this? The script kiddies like in that 98 scandal with Solaris at Pentagon? The hackers that show how buggy and crappy is a piece of software (here m$ doesn't matter)? The OpenSource, GPL, freeware communities for being much more liberal in these matters? Or the commies for once again digging another hideous conspiration against the US, the Free World and my backyard?
why not just fricken run apache on unix?
....
Just pretend to be professional for a second and use unix...
Personally, I prefer linux to any other operating system I have tried. But in my experience, it's quite hard to convince a business running more established platforms to change to an 'alternative' operating system. I've managed to convince the school I work at to replace one of the Netware servers with a linux machine running samba, but it wasn't easy.
The reason I asked the question in the first place was that I don't know the dis/advantages of using IIS or apache under win32.
I've never really used IIS .. I've never really felt the need, so I don't know what its good points are.
My question is, why not run apache on Windows NT/2000? Does IIS have any major advantages over apache and the wide range of addons which are available for it?
I'm know I'm probably just adding fuel to the fire, but I'm curious how true that sentiment is.
-OT
Change that to "Large, complex programs written in languages like C are subject to buffer overruns", and I'll both agree and point out why I don't like crufty old languages.
And yet when they decide that Bluetooth or USB 2.0 support is too flaky to put in before the initial release of XP, people here howl and moan. Damned if ya do, damned if ya don't.
Cheers,
Well, I had tested the exploit against a Win2K Pro SP1 machine with IIS (PWS) installed and it didn't crash IIS. On another Pro SP1 machine, I installed the patch, and haven't had any ill effects for few days that it's been installed. So, at first glance, it doesn't seem like eEye's exploit works against Pro, but I took steps anyway, and recommend that others do the same. I just renamed msw3prt.dll in the System32 and dllcache directories.
Cheers,
Don't blame Ford when you had your keys to a 3 yr old and they wreck the car....
If the car looked like a toy and was easy to use for the three year old, and on top of this, was of a major brand (i.e. had cred), I would...
[annoying organ music]
Kids, don't forget to send in those Ovalteem labels for your free Windows XP Product Activation DECODER RINGS!
Tune in next week for our latest episode - Clippy's Revenge!
[more annoying organ music, followed by station identification]
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
Because Bugtraq generally gets us the info months before CERT would?
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Of course, Ford doesn't advertise that their cars practically run themselves, with no operator needed. Nor do they include a "Getting Started" guide that gives the sense that nothing more is needed than the pointy, clicky, hit FINISH and it's running method. Their allowing their "certified" people to be churned out after a week of rote-cramming and little-to-no practical experience furthered that image. So many MCSEs have proved to be so obviously clueless that the idea that NT can be competently adminned by someone with a clue deficiency.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Anyone running printer services over the Internet on a server is an utter moron for one.
How else would you run printer services over the Internet, assuming that's what you require? Throw an HP JetDirect box next to your router? Or set up an IPP daemon on a server you can secure, printing to the printers, and lock it down?
As an aside, are there any good, securable IPP daemons for any OS out there yet? I haven't touched Win2000's IPP service yet, and haven't had much chance to look into CUPS on Linux.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Quite so. The weary WebAdmin, as well as the SysAdmin and Network Operator can all sleep easy knowing that Joe RandomScriptKiddie is remotely administering the latest updates to their Win2000 servers for them.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
What if it's crawling or limping, as would be more likely than "running?"
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Its not just that, but this is a big story because MS has hyped themselves up as the end-all be-all to the companies that shell out the bucketloads of cash for their support on IIS.
If IBM's Websphere had an exploit would anyone care? No.
If Sun's iPlanet webserver had a big gaping root exploit, would anyone care? No.
If Netscapes crappy web server had issues, would anyone care? No.
The only reason IIS (and apache) make big news is because they're the biggest players, and they have the largest groups of zealots on both sides drawing attention to itself.
Any piece of software is going to have bugs -- If it's job is to serve material over the net, there's going to be some sort of exploit.
So there's another exploit. The vendor will patch it. Big deal. Move on with business.
~dlb
Some interesting quotes are:
2 S0 003
"IIS has been a cancer on Windows 2000," he says. "Including that code in the Windows 2000 base vs. it being a separate application was a huge mistake."
InformationWeek:How much more complex is Windows 2000 security compared with Windows NT 4.0? And in what ways is it more complex?
Fossen: It's roughly 10 times more complex. The security infrastructure of Windows 2000 includes Active Directory, Encrypting File System, Group Policy, IPSec, Kerberos, public key infrastructure, remote-access policies, and smart-card logon services. NT security is characterized by the ad hoc plugging of security holes; Windows 2000 security is characterized by the management of these security services to make security scale across an enterprise. Holes still need to be plugged, of course, but now there are built-in tools to make even that effort easier.
http://www.informationweek.com/story/IWK2001050
http://www.informationweek.com/834/winsec.htm
With Windows 2000's complexity and some poor design decisions, I have a feeling we will see more major security flaws in the future.
In a world that is Free and Open, who needs Windows and Gates?
I suppose you've never heard of tunneling?
I can't imagine any valid use of an open printer to the internet...No self-respecting script-kiddie (yes I know that's an oxymoron) would drop by to pick up his/her printouts.
P.S. Note the correct form of denoting unknown gender
So lets say http://www.microsoft.nl and http://www.microsoft.be aren't vulnerable then? (sorry, couldn't resist...) (just two of the three I happened to check. On the plus side, www.microsoft.de is still running IIS 3.0 so it's safe from this one...)
...why do they have such a dorky name?
But I also found the timing of the Microsoft announcement and the eEye announcement on Bugtraq interesting. They came out basically at the same time, and there is nothing about eEye's self-aggrandizing announcement that makes me think they would be particularly sensitive to protocl.
One of two things happened; either those eEye guys are more polite and rational than they sound, or else bugtraq held the announcements to coincide. Acutally I'm guessing both.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
That is a frequent misconception. Even if it was true in the past - which is debatable - it's no longer true today, because people take it to mean "that male". Even journalists now use "they" instead of "he" (although there are ways to rephrase some sentences to avoid having to face the problem in the first place). Newsflash: language evolves.
See: http://www.cs.rice.edu/~ian/Manifestoes/heVsThey.s html
Female Prison Rape in NY
I'm sure eEye has a very long list of bugs just like this one that they will not release until the media attention dies down.
How we know is more important than what we know.
That's their business, it is hardly a new tactic. The only way to sell security is via the media, because only an expert can tell the difference between two security companies. They are indeed in it for the publicity. They are sending a very specific message to the media: if you had their product installed you would not be vulnerable (note: they had fixed this bug even before they found it!), but seeing as you dont, well here's the exploit kids, have fun. Actually it's not like that, but it was last time :)
How we know is more important than what we know.
They took 11 days to change one byte.
How we know is more important than what we know.
All true. Personally I'd prefer they fix the bug than give out sploits to everyone. If you are going to write a sploit that puts a txt file in the root directory saying where the admin can get the patch, why not fix it yourself? It was just one byte ya know. Da fedz should write a one byte patch sploit and scan the net patching this for people. That would be sweet.
How we know is more important than what we know.
Yawn, I'm not going to go over this argument yet again. The bug is essentially this one instruction:
mov [ebp+var_4], 202h
when the buffer is actually only 101h bytes long. So eEye could of made a one byte patch and released this, fixed the problem and then gone to Microsoft to get them to fix it in the source. But that's not the way it goes down. Microsoft has to be the one that makes the patch and although they beat the 30 day average I think 11 days to release a patch is pretty shameful (openbsd would patch this in under 6 hours, 24 hours being the maximum). Especially considering that mumblings of this bug were on bugtraq before April 19.
How we know is more important than what we know.
You seem to be assuming that everyone here is an admin...
Plenty of us have no reason to keep track of bugtraq - because we don't admin servers. However, this is a rather major story (compared to the ones you've mentioned, anyway), and I'm sure lots of people are interested.
If it had been Apache, BIND, sendmail, or something, it would be here just the same.
Cheers
He asked a valid question. Like it or not, Apache is the norm on the net (though not necessarily on the Win32 platform). So why should someone choose IIS over Apache?
Your post seems little more than an eloquent version of "Apache suxxors and IIS rules". Please tell us why IIS is a good choice.
Cheers
IIS is generally considered to be quite a bit faster than the standard Apache distribution
IIS is faster for static content. Apache is faster for dynamic content (SSI, CGI, et cetera). Speed on static content is rather useless, as it doesn't take much of a box to saturate a reasonable connection with either IIS or Apache.
Oh, and there's an Apache module for asp.
Cheers
The vast majority of security vulnerabilities are buffer overflows. This latest vulnerability extends this status quo. There are technologies out there that prevent this, however, almost all of these technologies slow down the system in some way or another. Examples include languages that allow dynamically sized arrays and other preventative measures.
CPU speed is growing such that it would appear that we could take a speed hit for increased security. Is it coming down to the fact that various organizations would rather market a fast webserver at the expense of a secure one? The $64,000 question is why the industry has not moved towards safer technologies that prevent these security holes.
Not that Microsoft is incredibly innovative on the security front, but they're hardly the only culprit. Many others rely on unsafe languages and techniques that allow these vulnerabilities to leak through.
When will it end? Is there any incentive to end?
Of course, I'd be pretty upset too if a bunch of upstarts were singlehandedly obsoleting my practices and methodologies, like eEye (and groups like them) has done with "traditional" security consulting and management. I just hope all you people are watching now and paying attention to the contributions the security community gets from eEye's critics.
A published root hole in IIS is a coup for open source (when was the last "Administrator" break from Apache?). The disseminated fix will be a coup for full disclosure. Everybody wins. Except the dinosaurs.
Perhaps someone with more time on their hands can test the exploit against a Win2K Pro machine? For now I have removed the .print mapping, since I won't be using it anyway and I figure the old adage "better safe than sorry" applies here.
No Laughing Allowed!
I'm no expert in this area, but as I understand it, buffer overruns can get root access even when the program is running under user mode. If you read the article, it said that the buffer overrun caused IIS to shutdown, but unlike Apache or other servers it will automatically restart if it detects that it has crashed. (Kind of like how Windows will automatically scandisk after crashing, because its assumed that it will crash often). Anyway, my guess is that the buffer overrun code executes while IIS is starting up, between the point where the process is created (as Administrator) and the point where its priviledges devolves to a user.
Anyone more knowledgeable care to comment? I'm also curious how chroot()ed environments can help prevent root hacks in the linux environment. According to my admittedly sketchy theory, there is still the point where a process starts off as root, correct? Someone plz fill in! =)
Find and share links to celebrity profiles on MySpace! http://www.myspacecelebrities.com
They really are in it just for the publicity. So? Yeah, maybe it is sleazy of them, but at least someone found this exploit so that it could be patched. So what if it's free publicity for them? Would it have been better if a black-hat had found it and exploited it? I don't think so.
"Well kids, you tried your best, and you failed. The lesson is, never try."
The writeup for the story didn't blindly insult Microsoft, or insult them at all, for that matter. It just said that there was a vulnerability, and that it's a potentially large problem. Both are true statements.
Most of the comments I've read haven't bashed Microsoft either. So your post is completely irrelevant. I don't blame you; it's the poor moderators that make karma whoring possible.
Of course, this will get modded down to -1 Flamebait in a matter of seconds, because I went and insulted the moderators. Oh well.
"Well kids, you tried your best, and you failed. The lesson is, never try."
Thats the most common problem with server security, is the lack of knowledge of some of the administrators setting them up. They don't truly know what is running either via way of moronically not being intuitive enough to know what ports are open for what services and why, or just not having a clue altogether.
Funny how many would whore out including the staff of eEye. Instead or placing a nicely written morally sound write up, they overhype the issue to promote their product.
Lets not forget, what goes around comes around as eEye has seen in the past. I've purchased programs via my company from eEye, and they're not all that, nor are their advisories. Someone should teach those guys humility.
As for Microsoft, its just another one of their flaws, so I don't see what the big deal is.
removing the dot in dot com
Want Root?
Regarding the responsibility of IIS web admins... sure, common sense should tell them to delete unused script mappings. But even for the clueless ones, MS has formally recommended this on Technet. See "Secure Internet Information Services 5 Checklist" (note the date: June 2000, and there also was a version for IIS4 a few years ago). It's near the bottom, but it's there.
If your admin simply installs a default W2K, that's pretty weak... if he/she doesn't visit Technet (at least occasionally), then he/she's not really any more qualified than the landscaper.
This is a serious issue, but there's really no excuse for any company to be running a server that's vulnerable. For anyone with brains, this is a non-issue.
-Andy
Since MSs products do this that the other thing and the last thing you ever want to do but not the thing you need to buy the 3rd party software for, is it really any surprise MS always suffers from escaped code review buffers? When you bite off more than you SHOULD chew, this 'll always happen. =)
.. more granular projects lead to better security ...
Its a good thing for the OS community
Garret
"Old man yells at systemd"
Do you remember when Slashdot posted stories on security flaws like this as an attempt to disseminate the information to the tech community at large, even though they didn't like Microsoft, as opposed to now, when they attempt to show that they don't like Microsoft by disseminating information about such security flaws? Its a subtle change, but its there...
You say you want a revolution?
I really don't get this. Why do people still persist with IIS? Isn't four (five?) years of bug after bug after bug, security exploit after security exploit not enough to convince people that it's a bad product?
Why, despite this consistent track record of failure, do people still set up IIS servers?
It beggars belief. And it's boring now. IIS Bug Of The Week it's become, and yet people still don't learn.
xx Stuii!
I submitted this story yesterday and was rejected.
2001-05-01 23:24:00 Another Major Security Hole in IIS (articles,microsoft) (rejected)
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Lots of shirking the responsibility seems to be going on in this discussion. Sure system admins should be informed about security and keep with patches and all, but to some degree, fault must inevitably lie with software vendors who don't have a deep commitment to producing trustworthy (read: secure) software. And that's not just Microsoft.
A program can be provably invulnerable from certain attacks, but undecideable on other attacks. It's a shame that software most often fails on the most obvious and straightforward of fronts to defend: buffer overflows. Something along the lines of 30-60% of all exploits make use of buffer overflows. However, checking for such weaknesses can be carried out by a sufficiently capable automated tool. With as common a problem as buffer overflows have been, you would think that it would be foremost in people's minds when designing against flaws. If you left your door unlocked and were robbed seven times in a row, wouldn't you start locking your front door as the first measure?
It's a small example but indicative of a larger problem I am trying to frame. Software vendors, hobbyists, open source developers, just don't think about these things. They write software in an ad hoc fashion intended to be configurable and carry out a service, so intent on the goal that they fail to consider the larger context. They believe an exploit or a security flaw is something blatant and obvious in the code, or they base their assumptions on a narrower range of input than the application will be exposed to. And even in that case, they see a security flaw as just another bug to patch in the next release, as innocuous as the something like a memory leak.
Software that provides services is meant to do that. To everyone. And if not to everyone, to a select group of people who must be authenticated and authorized. Those mechanisms must be engineered to be extremely fault tolerant. Unfortunately, they often are not.
The software vendors to carry blame for this. Don't push this off onto system administrators for not knowing "how to configure" something. That's a poor excuse. They should be informed, of course, but their software should be secure, out of the box. Correct software isn't patchwork. It is carefully designed, carefully crafted to fit together but remain modular. It is not a series of patches with various nebulous origins to fix flaw after flaw in far flung parts of the code. Despite what you want to claim, secure, well-engineered software truly is a Cathedral, and not a Bazaar.
Simply throwing bugfixes at a problem won't fix and underlying engineering flaw. Throwing your code at people won't fix its design flaws. Take for example Kerberos. Nearly ten years it spent in the open source community as a secure protocol for providing services. The code was in the open and everyone just assumed that it was correct. In two weeks of studying the code at Purdue, a flaw was discovered that allowed the encryption to be subverted and tickets forged in less than a tenth of a second. The flaw had been in the code for ten years, because no one with enough training bothered to look for it.
Like I said, throwing patches at a problem isn't going to fix an engineering flaw, throwing your code at people isn't going to fix your design flaws. Until vendors realize this (which will probably be never) and start designing secure software from the ground up, there will always be buffer overflows, always exploits, always patches. A lot of services are set up to be turn-key, infeasible for the application to have a babysitter to patch the software night and day. Blaming system admins for their systems be penetrable? Who wrote the software again?
120 characters isn't enough to explain it.
And of course, this deserves front page notice because root exploits are not found in UNIX/Linux, after /. doesn't post about any...
Greetings:
ADM, KAM, Lamagra, Zen-parse, Barns, Angelina Jolie, Roland Postle, Attrition.
Someone at eEye is quite hopeful...
I hear next month they're going to replace all their programmers with a large but finite number of monkeys. Code quality is expected to improve.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The vulnerability arises when a buffer of aprox. 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request.
Heh Heh.
echo $email | sed s/[A-Z]//g | rot13
As many people have pointed out, anyone reasonably experienced, and any "real" website, isn't vulnerable to this if they followed the best practice of deleting all app mappings that aren't in use. It's like the blank SQL sa password all over again. Easy to get worked up about, pretty much a nonissue for anyone who even halfway knows what they're doing.
Right. And millions of stolen credit card numbers as a result is only proof of stupid admins, not stupid software.
Software has an obligation to setup secure by default, and insecure by the expressed will of the admin. Apparently with IIS and/or MSSQL this little bit of advice is forgotten.
You can go on and on about how anyone who bothered to read the docs would not setup the server in a vulnerable way, but this ignores an INCREDIBLY important aspect of human nature. That default computer usage should be reasonable is assumed by default. 80+% of all web users NEVER change their home page. In a simliar vein, most web admins simply use the default install, irrespective of the potential holes pr default passwords.
The default install has to work securely, plain and simple. For IIS or MSSQL, there are obvious reasons that your customers' business is not safe if you used the default install.
Because unlike apache on unix, IIS has a built-in facility to let "webs" and "subwebs" take on different user priviledges.. giving not only a sort of "run-as" functionality to web apps easily, but also leveraging the NT security model for isolation between separate websites and apps on the same webserver.
To do this with apache, well, you're talking about extensions and helpers that break parts of apache and are security risks in their own right... "suexec" comes to mind... and apache still needs to run as root to let any of these work. Furthermore, does suexec work with php ? mod_perl ?.. or is it only a cgi-bin wrapper (i.e. killing apaches performance as a dynamic content server)
Fwiw, there may be better solutions than the old suexec on apache by now...
it is possible that via perhaps Impersonation, IIS could run as non-system and still have separate users and app protection etc, but thats tricky to program. There may be other reasons for IIS to run as system; what i've written is just a possibility.
My opinions are my own, and do not necessarily represent those of my employer.
If you have a Win 2000 server or know someone that does, just get the patch. Simple as that.
Yep. And much as I hate to say it, the security bulletin on the Microsoft site is well written and honest.
However, if we get rid definitively of buffer overflows, it will be possible to spend more effort on securing against more tricky vilnerabilities.
I believe that, for instance, a kernel option which makes the stack not executable except by granting a EXECUTE_STACK capability would not hurt linux users, while not being the security panacea that some might expect.
Ciao
----
FB
That is very naive. This exploit is difficult to detect, and a real cyber-thief would not advertise his or her activities.
PS: this is not a flame.
Test 1 2 3 4
Man, that's stupid! You wouldn't say anything if the write-up said "... would enable him ...".
So where's the sexism coming from? From the one that wrote, or from the one that jumped up and down pointing and shouting "THEY WROTE 'SHE'!!!!!".
DUH!
shana
Every OS Sucks
--
Sleep is just a poor substitute for caffeine, anyway. -Bob Lehmann
Mainsteam? Probably wont happen anytime soon..
I hate to break it to you but most people do not care if IIS (whatever that is, they say) has a Buffer-Overflow (whatever a buffer is, and however you overflow it, they say) error that gives them Root (Foot & Mouth? Is that like Ringworm? I hope I dont contract it.).
On a side note, TechLive (as in TechTV (or formerly know as ZDTV) did in fact mention this several times during thier Tuesday Broadcast.
If you watch mainstream media, all you will get is Mainsteam news. Use your Dollar-Vote, and dont support things that you dont want to support.
Dont get real TV? Bug you Cable/Sat company.
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be
"However, this couldn't be used to conduct an effective denial of service attack, as the IIS 5.0 service automatically restarts itself after a failure. " If it takes me like one packet to shutdown the service(Hence the restart). I can generate lets say 4 packets per minute? (I really do have a better connection but) If I can not keep an IIS server thoroughly enough pissed with a small attack to prevent users Im confused. Not that I would but I just refuse to believe that while IIS is automatically restarting itself users would not be denied service. Oh well two cents. minus a dollar.
I am 31337 or something.
So no, it doesn't show "there's someone at Microsoft with their brain turned on," it shows that either they don't know English gender rules, or they'd rather sacrifice correct English for the sake of political correctness.
The only "intuitive" interface is the nipple. After that, it's all learned.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
As for whether or not "he" is the technically correct way of identifying people of unknown gender, it is. You may not like it, you may reject it, but it is correct, and it always has been. In fact, once upon a time, "man" simply meant "human." The word exclusively for males was "wer," hence "werewolf."
Newsflash: you're a fucking moron.
See: http://www.goatse.cx
The only "intuitive" interface is the nipple. After that, it's all learned.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
IIS and DNS are not setup on a default install of any of Windows 2000 Server products
Default install of Windows? Anyone that does so is definitely asking for problems. I like to know what the hell is actually getting installed on my PC, although with Win2K I'm wondering how many no-ops it took to fill my \WINNT to 900 MBs, when all Cache and Temp folders are elsewhere.
Nevermind, I figured it out. I'm using a Macroslop operating system...
AaronEven without that an admin should inspect anything that's viewable upon basic install -- and delete it if not needed. Really, this is like letting Apache install stuff to your cgi-bin/ directory and leaving it there even if you have no use for it.
:)
... betcha anything the guy who coded it had no idea ever that this was in the default install. He's probably running around pisses as hell in the Redmond base right now because his "quick little addon" turned into a huge deal behind his back. :)
A) This thing shouldn't have been installed by default. Oops on Microsoft.
B) If an admin is worth his weight in dirt he would have seen it already and canned it.
C) The MS coder that wrote something which would be included in a basic install should have been notified of this... and the code should have been properly audited. Odds are, whoever coded this ISAPI extension would have said upon notice that his extension would be in the default install something along the lines of, "WTF for? Nobody actually _uses_ this thing."
C would have fixed a few problems
Justin Buist
Ye gods, I should hope my customers would *sue* me if I used the default install of any line-of-business app, without configuring it for their particular needs!
You talk about 80% of web users not changing their home page, but what does that have to do with web site operators? Surely you're not saying you'd run a completely default install of even Apache without at least going over the config files and making sure it's set up to offer the minimum featureset that you need for a particular site?
Right?
-b
If I wanted a sig I would have filled in that stupid box.
...at least by security standards. It's been all over bugtraq for the past few days.
Maybe I'll write a little app to just forward bugtraq emails which mention Microsoft to slashdot submissions. In case you *don't* follow bugtraq, and security is important to you, here's what else has gone on in the past few days that, oddly enough, will probably not rate slashdot articles:
- Debian sendfile root exploit (updated package available)
- Bugzilla shell exploit (updated info available)
- Iplanet calendar server exposes netscape admin password
- DoS against Novell Border Manager
...there's lots more. That's just in the past two days. But it's not news unless it's Microsoft, eh, folks?
-b
If I wanted a sig I would have filled in that stupid box.
Would a r00t exploit in the latest linux kernel make slashdots front page? I've often wondered this.
Only the State obtains its revenue by coercion. - Murray Rothbard
umm no. The act of driving would == the ability to point, click and press keys and do basic navigation around a gui. Which, with a little training can be done by all people. Technical computer questions would be directly related to technical car questions. It would be funny, except its comparing apples and oranges.
cat /dev/zero | /dev/mem
I don't have numbers (probably only large espionage organizations do), but I'm willing to bet that's not true.
Buffer overruns undeniably get a lot of coverage on bugtraq--if you casually read the list, you'll be forgiven for thinking that buffer overruns are the overwhelming bane of computer security. But there are two biases to this observation:
-
Buffer overruns get more talk than vulnerability reports. Go to the vulnerability database at SecurityFocus and browse the recent
reports. On the first
page, there are 28 vulnerabilities, of which only three explicitly
mention buffer overruns. Even assuming that this is an unusually low
number, and that a few buffer overruns aren't labeled as overruns, and allowing that buffer overruns tend to be more serious than the
average vulnerability, this is hardly a preponderance.
-
bugtraq report statistics probably over-represent
buffer overruns. This is related to the above discussion--buffer overruns
are popular and well-worn ground. If you report one, everyone will
understand it and you'll win sure ego points. So if you're going to search
for vulnerabilities, you'll probably search for buffer overruns.
In short, even if we stop using languages with unsafe pointers tomorrow, our security woes will continue in full force.I frankly think the reason the discussion on bugtraq seems dominated by buffer overruns is that the community enjoys, and is comfortable, discussing buffer overruns. Even though the same religious issues (bounded arrays, language choice, non-executable stack, stack-guarding libraries) are rehashed over and over, people never get tired of them. Buffer overruns have a cherished place in security folklore. This is kinda nice in that it gives the community a common ground, but dangerous because it leads people to overlook the importance of other program flaws that can result vulnerabilities.
Further, buffer overruns are plain easy to find. If you have source code, a few greps often take you right to the hole. Even if you don't, tools like fuzz do pretty well (many bugtraq reports indicate that tools like this were used to find the overrun). Plus, contrary to what you might think, buffer overrun exploits are ususally easy to write, so don't think that turns of any would-be security gurus. Other classes of vulnerability usually require more analysis of program logic to find.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
...open source is bad.
Does anyone have a program that will exploit the hole and run code to automatically remove the .printer ISAPI mapping, then crash IIS so it will automatically restart with the new, safer configuration?
That would be a White Hat job.
NO CARRIER
Yes, hence my use of "yet, of course". Maybe this will encourage those lazy sys admins to download the patch.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
I wasn't referring to the writeup, I was referring to the inevitable flamers who decide that as soon as they read Microsoft in a story they prepare their posts.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
Ok, so there's a major security flaw with Windows 2000 server computers running IIS 5.0 because this ISAPI extension is installed by default. A patch is already available, and for those who don't want to patch (why the hell not?), they can simply remove the extension.
Yes, this seems to be a really nasty hole, but it doesn't appear as if it's been exploited (yet, of course). Microsoft did release a patch and didn't try to play down its importance (so it seems to me). Those of us in the *nix community have had our share of root exploits in various daemons, so they crop up in even our most favorite software.
There is no reason to be blindly insulting MS or promoting the secureness of Open Source programs. Large, complex programs are subject to buffer overruns.
If you have a Win 2000 server or know someone that does, just get the patch. Simple as that.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
Would it be wrong of someone to write a worm which exploits this this vulnerability in order to install the patch that fixes it?
Any spoon would be too big.
So, as you can see, only a FEMALE hacker can exploit this vulnerability. And since the current
Windows is dead!
Windows is dead!
Long Live Tux!!!
Hey there, I'm no good programmer at all but the first thing I was told was: "Don't, ever, think of using a fixed lenght char array in the stack to store input; there's a HEAP of memory out there, use it!" It's like putting square wheels on a car: you can do it, no doubt, but it's just stupid... Assuming this is the sort of bug the story is about, how can anyone seriously claim to be an IT professional if he/she writes this crap (and asks $$ for it!)
Just my 0.2 l of petrol (it's your turn for the matches)
Edo
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
In this context, here is this bit of classic humor, as they say, "found on the Net"
WHAT IF PEOPLE BOUGHT CARS LIKE THEY BOUGHT COMPUTERS?
General Motors doesn't have a "help line" for people who don't know how to drive, because people don't buy cars like they buy computers -- but imagine if they did . . .
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "I got in my car and closed the door, and nothing happened!"
HELPLINE: "Did you put the key in the ignition slot and turn it?"
CUSTOMER: "What's an ignition?"
HELPLINE: "It's a starter motor that draws current from your battery and turns over the engine."
CUSTOMER: "Ignition? Motor? Battery? Engine? How come I have to know all of these technical terms just to use my car?"
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "My car ran fine for a week, and now it won't go anywhere!"
HELPLINE: "Is the gas tank empty?"
CUSTOMER: "Huh? How do I know?"
HELPLINE: "There's a little gauge on the front panel, with a needle, and markings from 'E' to 'F.' Where is the needle pointing?"
CUSTOMER: "It's pointing to 'E.' What does that mean?"
HELPLINE: "It means that you have to visit a gasoline vendor, and purchase some more gasoline. You can install it yourself, or pay the vendor to install it for you."
CUSTOMER: "What!? I paid $12,000 for this car! Now you tell me that I have to keep buying more components? I want a car that comes with everything built in!"
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Hi! I just bought my first car, and I chose your car because it has automatic transmission, cruise control, power steering, power brakes, and power door locks."
HELPLINE: "Thanks for buying our car. How can I help you?"
CUSTOMER: "How do I work it?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "Do I know how to what?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "I'm not a technical person! I just want to go places in my car!"
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
One could argue that to the stereotypical /. community (avoiding the arguments of how no stereotype truely captures even a majority of the opinions on Slashdot) MS bugs are news (i.e. "That's nice. Discuss amongst yourselves or whatever.") while *nix bugs are alerts (i.e. I don't want to wait until the Slashdot editors feel it's the proper time to post the story in order to keep the intended news pace).
You only come down really hard on the kid that is always in trouble...
/.ers only have a karma of 49...
REAL
SIG: HUP
That is FUD and you know it. IIS is not included as part of a Win2K install at all, it must be installed by the user off of the 2K CD. Once it is installed it is very similar to any other service, third party or Microsoft. It installs no kernel modules into the NT boot sequence, it just runs at high privs. If you were running Apache continually as root you would be subject to the same level of problems IIS has.
Its not a matter of kernel integration, it is simply a matter of privelleges.
The clash of honour calls, to stand when others fall.
So if you read the "technical" section of the Microsoft writeup, you'll notice their use of the female gender as the hypothetical attacker. "This would give the attacker complete control of the server, and would enable her to take virtually any action she chose." So, is Microsoft saying that all people who are hacking their webservers are female or that the person who found the bug is female? Microsoft, watch out! You could be next on the list for those crazy women's rights activists to attack!
[)(]subliminal labs[)(]
China is demanding an apology from Microsoft for this attack on their IIS web servers.
Holy crap! Software with bugs?! I can't believe it! A few posts mentioned reading bugtraq. A quick search on Google gave me several different sites. Could someone nudge me in the proper direction?
Any self-respecting sysadmin would have removed all ISAPI mappings except for .asa and .asp on installation (standard security procedure) and this wouldn't be an issue for them. That isn't to say that there probably isn't issue with the ASP ISAPI module, but at least it's heavily tested. Many of the other modules are fringe and likely to be vulnerability candidates.
However the same update requirement (i.e. keep on top of security patches) holds true for every OS and every system.
No holes like this exist in Linux
I'm presuming that this is just a troll, but in case you're serious there are a number of holes just like this for Linux, and there remain thousands or millions of Linux servers that haven't properly been patched up (just as there are NT 4 servers with holes 2 years old out in the wild).
If this were a desktop issue, then perhaps. But these are servers. Even though they look cute and seem friendly, they're really servers. If someone has a server that's important to their business and they don't have the knowlege or time to install and configure it properly, they should hire a pro.
That said, there's a market for out-of-the-box setup's, but changing defaults is going to please some folks and upset others. To try and create a set of defaults that will please everyone will end in failure.
Yes, though there's also a small matter of approach to things as far as a web administrator is concerned. If you'd want to turn off something like this in Apache, you'd edit the conf file, pick out the correct line, and change yes to no.
In IIS, and nearly all of microsoft's server side applications, any time you need to do something even remotely out of the norm it's buried withing menus upon unintuitive menus if it's even possible sans hackking.
I would assume this would get better over time, like the client applications Microsoft sells...
And speaking of IIS, I had a conversation with my boss the other day, and he asked if the IIS server required by a product was a security problem.
"Yes", I said, "even patched current and doing sanity checking it has had too many previous issues for me to trust."
Maybe someone should bring this up at the "Open source advocacy panel (as mentioned on slashdot)
It's more important to the /. community to be informed of MS bugs than *nix ones? I think not.
What's a sig?
Woops.... Hope they get it running again soon. "He" never would have done it had "he" known this was going to happen. But regardless, this exploit can most definately deny service to users. (Just check out www.ncix.com - they're down as I write this. I bet "my friend" will think twice before testing any other servers.)
Willy
Let Microsoft take you away from all that. With our new RemoteRoot feature for IIS on Windows2000, users can log in as root from remote sites without all the muckety muck.
Forgot your password? No problem. RemoteRoot makes getting in easy.
Microsoft has partnered with the company responsible for Zero Click technology to bring you this wonderful new feature. You can read more about it on their web site.
The MS writeup clearly states "Note: The vulnerability is only exposed if IIS 5.0 is running."
Otherwise you'll overflow your printer's buffer, too.
(It turns out the latest development code of Retina was able to find a buffer overflow within the .printer ISAPI filter (C:\WINNT\System32\msw3prt.dll) which provides Windows 2000 with support for the Internet Printing Protocol (IPP) which allows for the Web based control of various aspects of networked printers.)
Got friends?
So in effect, if the admin who setup the webserver is in ANY way competent, he should have already been over the checklist and applied the template, both of which discuss removing this extension. If he's lazy and only used the SecTool, that would still do the job.
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Natural != (nontoxic || beneficial)
I think they have it backwards...
Give them props for doing what we always slam them for not doing-- responding quickly to a large exploit.
Though it does nothing for all the other exploits for win NT/2k out there.....
They stuck me in an institution, said it was the only solution, to...protect me from the enemy, myself
Think about it...new, microsoft -> buggy.
And really, this wasn't completely unexpected - in fact, any self-respecting sysadmin (using windows [even for a personal web-server], almost an oxymoron) would have PLANNED on making an update sometime in the near future.
--
Let me see--
- OS-level web server
- NT codebase
- Microsoft
hmmmmm..... Perfectly expected. The first item is a major reason why I am avoiding Tux until either I can further test it or it has more real-world testing.... Although Tux runs on Linux, I have serious problems running server software which runs with that kind of machine access. I will stick with Apache running as Nobody....LedgerSMB: Open source Accounting/ERP
Did you install Windows 2000 Server or Advanced Server on your desktop, and selected to install the DNS server to serve clients on the public internet?
I sure didn't install BIND on my Linux desktop, just like you don't run a nameserver on yours.
You want to trash talk BIND, go ahead. Linux is not BIND.
"Why didn't I join Microsoft? [LAUGHTER]"
Here is the accouncement for khttpd in June 1999. That's pre-2.4 if you didn't notice, the current kernel at the time of announcement was 2.2.9
Alan Cox wasn't sleeping, here is his 2c worth, about 2 weeks after the announcement. It's just a special in-kernel cache after all, not like running IE5 or IIS5 wholly in the kernel like some other OS's.
The home page is http://www.fenrus.demon.nl. kHTTPd only serves up static content, all non-static stuff is passed to a userland webserver, like Apache or Zues.
"Why didn't I join Microsoft? [LAUGHTER]"
Strange, I was under the the impression that malicious hackers would always be adolescent boys who watch pr0n and live like slobs.
Microsoft is actully an advacate of free information, thats why they leave all those nifty backdoors and exploits in thier software. That way anyone who wants to can just waltz in to your server for free and learn what ever they want. ;P
Of Course they could just save everybody a lot of trouble and rename IIS 'Internet Security Hazard', and get it over with.
RA7
-
"Consistency is the hobgoblin of small minds" - RWE
since the beginning of last year, which allow remote attacker to display path of the web server.
They might have patched the hole since, but it seems that it surfaced again....Oh well.
There's been virtually billions of 'remote root' level holes in Sendmail alone, nevermind the various other daemons that ship with one or more standard Linux (and/or other UNIX based system) distributions..While these are reported on the geek/security sites like buqtraq, they rarely make it to the mainstream.
Anyway, this is bound to turn into a long useless series of Microsoft-sucks, Linux-sucks posts...But the reality is every OS, open source or closed, has major bugs found in it from time to time...glass houses..stones...etc. Try not to feed the trolls.
... Every new .0 release is generally pretty buggy. It's almost smarter to wait until .1 and .2 releases to upgrade.
Look at RedHat 7.0, for example. Don't bash MS because they have bugs -- to do that would be hypocritical.
Do you like German cars?
This security hole didn't exist until eEye started probing around. MS DNA in W2K created this hole so that the eEye probes would have somewhere to go and the server wouldn't feel so...eh...lonely.
What is pirate software? Software for inventory of stolen treasure?
This story was on MSNBC 2 days ago. MS had a fix out to their "large" customers around 10am on that day.
This wasn't caught during windows2000test!? I don't believe it!
Did you install IIS5 on your desktop machine which doesn't act as a server?
If you're going to trash Windows, trash Windows, not the applications for it,
"Faith is the last resort of a desperate man" - Me
No gaping holes in LInux?
Of course, the mad rush to upgrade to 2.2.16 was purely cosmetic, and had nothing to do with a root exploit affecting all the previous kernels of the 2.2 series.
And BIND has never had a serious exploit in it. Oh no.
[Note for the sarcasm impaired: That was sarcasm]
"Faith is the last resort of a desperate man" - Me
What's more scarier than requiring this patch is the explicit instructions Microsoft have given about downloading the patch.
You would hope that any web admin (IIS or not) would already know how to download a file and save it to disk.
The ONLY thing that the instructions didn't tell me how to do was "Click OK". Do I use the mouse, or do I tap the screen with my nose?
The choice of programming language significantly affects the security (and quality) of the software in question by elimination of whole classes of errors. Buffer overflows are just not possible in the more abstract programming languages such as Lisp, Dylan, Sather, Eiffel, Cecil, ML, OOCaml, and others. Pointer or memory management problems such dangling pointers or memory leaks are not possibilities either.
That covers the most common programming errors in C/C++. In C/C++, the programmer manipulates raw addresses and allocates and deallocates memory manually. In the other languages, the programmer doesn't have access to raw addresses or manipulate memory directly, so the programmer can't cause crashes and neither can an opponent.
This is all obvious... but no one seems to learn it.
Most of these language have very efficient implementations for them... meaning that they have compilers that can produce code that performs in the neighborhood of C code (or sometimes better). And these languages from the Lisp or functional families are much more productive than C/C++.
Wow, I don't think I've seen so much MS-defence in one article in a while (well, I set my filter to 2 by default, and once I did that /. seems a LOT more intelligent!)
One thing you guys are all forgetting is that sysadmins, many times, simply don't have the time to admin properly. They're given 1/2 the time required to do any specific task, then the (usually clueless) management has another "mission-critical-must-be-done-yesterday" task to complete, and although the sysadmin intends to go back later to ensure everything is running properly and securely, in reality they just don't have the time.
If God gave us curiosity
to prevent buffer overflows is... (drumroll please)
COMPETENT PROGRAMMING!
Think of it. If I'm going to read in data, I will never ever ever blindly pass in a fixed-length array. In many many cases you can peek ahead to see how much data is waiting to be collected, or specify the length of your array so that the called function will not overflow your buffer. If you can't (then the called function was not written properly, but...) do something silly like allocate a buffer in the heap, and then copy the needed data into an internal buffer afterwards. If the "temp space" buffer is out-of-range-of-executable-code and big enough (reasonably, we can assume that we're not going to receive a 26MB buffer overflow) then even with a function that you can't specify the length of your array, an overflow will not be a problem. It's common sense people, especially with all of the press coverage that buffer overflow attacks have gotten. It's not brain science, just another example of incompetent programming.
If God gave us curiosity
First all my base are belong to M$, then they hand it over to l33t h4>0rs!
Je t' aime Lesley !