Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red: the Aftermath

Posted by ryuzaki0 on from the if-only-this-was-the-last-code-red-article dept.

LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.

2 of 505 comments (clear)

  1. Actually: authors of strncat() MAN PAGE and gets() by Ungrounded+Lightning · · Score: 5, Informative

    Blame the bozo who designed strncat!

    strncat() isn't a problem by itself. The problem is improper usage patterns.

    When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:

    strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));

    Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.

    But strncat() isn't the main culprit.

    Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.

    The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  2. Re:Stop blaming microsoft by blakestah · · Score: 5, Informative

    The rest of us applied the patch supplied by Microsoft more than a month before CR came out...

    And were still vulnerable until we disabled URL forwarding.

    The Microsoft patch alone is not useful. You are still at risk. See Incidents home page

    I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.

    Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!

    Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein :)