Eight New Security Holes in IIS

← Back to Stories (view on slashdot.org)

Eight New Security Holes in IIS

Posted by timothy on Thursday April 11, 2002 @03:26PM from the nobody's-perfect dept.

TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."

46 comments

Min score:

Reason:

Sort:

Wow! by diesel_jackass · 2002-04-11 15:29 · Score: 1

only eight?

Then I guess according to Oracle its UNBREAKABLE.

--
THERE IS NO DATA. THERE IS O
1. Re:Wow! by RedWolves2 · 2002-04-11 15:35 · Score: 0, Redundant
  
  Come on now this patch came out two days ago. This site sucks for up to date news and information.
2. Re:Wow! by RedWolves2 · 2002-04-12 01:02 · Score: 1
  
  Hmm..redundant!
  
  Since I was the second post on this article when I wrote it I don't see how this is redundant.
  
  Take a class on how to moderate would you!
Trustworthy Computing definition by andaru · 2002-04-11 15:38 · Score: 2

They are using 'Trustworthy Computing' in the sense of, "what you don't know can't hurt you."
By not informing the public of the holes until they have released a (faulty?) patch, they are demnonstrating incredibly quick turnaround time.
Of course, in the meantime, all of the IIS systems are vulnerable (able to be vulnered).

--
Why is Grand Theft Auto a much more serious crime than Reckless Driving?
Why? by josh+crawley · 2002-04-11 15:43 · Score: 2

I can understand if Microsoft would create a decent product, buy after hearing root hole after root hole, WHO WOULD WANT TO USE THIER PRODUCT?

Even MS sysadmins should have some sort of idea that this web server is horrid in terms of security. So MS Sysads, WHY DO YOU USE THIS???
1. Re:Why? by Anonymous Coward · 2002-04-11 15:52 · Score: 1, Funny
  
  > I can understand if Microsoft would create a decent product, buy after hearing root hole
  > after root hole, WHO WOULD WANT TO USE THIER PRODUCT?
  
  Because the next version will fix all the problems in the current one.
  
  Seriously. Some nitwits still believe that lie from Microsoft.
  
  That and it will give you a handjob while you configure it. :-)
2. Re:Why? by Anonymous Coward · 2002-04-11 15:58 · Score: 0, Troll
  
  Because i like TAKING IT UP THE @$$ from M$!
Ridiculous headline by Anonymous Coward · 2002-04-11 15:52 · Score: 3, Insightful

Slashdot:
Eight new security holes in IIS

Any Site with Journalistic integrity:
Microsoft fixes Eight new security holes in IIS

http://geek.com/news/geeknews/2002apr/gee200204110 11151.htm
http://www.infoworld.com/articles/hn/xml/02/04/10/ 020410hnflaws.xml
1. Re:Ridiculous headline by AdamBa · 2002-04-11 16:05 · Score: 2, Insightful
  
  And the part about "MS's 'Trustworthy Computing' campaign has failed once again" is silly. They just reviewed the code in the last couple of months. The new code has not yet been magically transported onto every machine with IIS installed.
  I'm not saying that IIS is not a pile of slop, of course.
  - adam
2. Re:Ridiculous headline by IpalindromeI · 2002-04-11 19:03 · Score: 1
  
  Although the "news" is that Microsoft released a patch for IIS holes, this headline isn't being untruthful. In order to fix a hole, the hole must exist. So obviously if they are fixing 8 holes, 8 holes previously unknown must have been found. Even if the headline had been "Microsoft fixes eight security holes in IIS", to me that would still say, "Hey guess, what? Eight new holes were found in IIS." The slashdot editors just don't care as much about making Microsoft seem like a good company, so they don't try to spin it that way.
  
  --
  
  --
  Promoting critical thinking since 1994.
3. Re:Ridiculous headline by sholton · 2002-04-11 23:06 · Score: 2
  
  They just reviewed the code in the last couple of months.
  
  You're spinning. Shouldn't they have reviewed the code before it shipped?
  
  --
  A new kind of meat designed to appeal to vegetarians.
4. Re:Ridiculous headline by obtuse · 2002-04-12 01:26 · Score: 1
  
  Not at all.
  
  The important news is that there are eight new holes, not that they're fixed. Are they fixed on all your company's instances of IIS, or are they holes?
  
  If it was anyone but Microsoft, it would be the same headline, remember "Open SSH Local Root Hole" http://developers.slashdot.org/article.pl?sid=02/0 3/07/1617211&mode=nested
  
  If it were any Free Software, it would be taken for granted that fixes would be out immedeately.
  
  --
  Assembly is the reverse of disassembly.
5. Re:Ridiculous headline by mat · 2002-04-12 05:56 · Score: 1
  
  A site payed by advertisments from commercial software and written by a journalist copying microsoft propag... ^H^H^H^H publications:
  Microsoft fixes Eight new security holes in IIS
  
  Slashdot:
  Eight new security holes in IIS
6. Re:Ridiculous headline by AdamBa · 2002-04-12 08:49 · Score: 2
  
  My point was that the "Trustworthy Computing" initiative had not failed. The previous way is still what is failing now.
  The Trustworthy Computing initiative failures will start showing up next year.
  - adam
7. Re:Ridiculous headline by Anonymous Coward · 2002-04-14 05:51 · Score: 0, Offtopic
  
  Gambling: It's like a tax on people who don't understand mathematics.
  
  Right, because a card counter in blackjack can never have odds over the house, and there aren't certain video poker machines that give you odds over the house.
  
  You are dumb and arrogant.
8. Re:Ridiculous headline by quintessent · 2002-04-14 09:55 · Score: 2
  
  Yes, they're telling some of the truth.
  
  But wasn't the trustworthy computing initiative meant to find these holes and fix them? Why are they calling this a failure? Oh, I just remembered. It's from the Register.
  
  --
  Donate background CPU time to fight cancer.
9. Re:Ridiculous headline by quintessent · 2002-04-14 10:02 · Score: 2
  
  It's the Register who is orignially to blame. Their assertions often border on ludicrous.
  
  But I do wonder why Slashdot doesn't do a little rational thinking before they post stories from the Register.
  
  --
  Donate background CPU time to fight cancer.
And the race is on... by Anonymous Coward · 2002-04-11 16:01 · Score: 0

between the sysadmins and the worm writers.

If history is any guide, the sysadmins will lose, badly.
Mmmmm 8 holes... by Anonymous Coward · 2002-04-11 16:07 · Score: 1, Funny

It's an IIS gangbang!
trustworthy computing fails again? by mikemulvaney · 2002-04-11 16:08 · Score: 3, Insightful

It seems to me that the Trustworthy Computing campaign is succeeding. They found 8 new bugs, and fixed them (well, they didn't find all 8, but they did find some of them...).

Yes, it would be better if they didn't have any bugs in the first place, and yes, it would be a lot better if they would announce the bugs before they had the patches ready, but you can't say that the months of code review failed after they actually found something.

I would be a lot more worried if they didn't find any bugs...

-Mike
it's actually 10... by seigniory · 2002-04-11 16:12 · Score: 4, Informative

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-018.asp

Impact of vulnerability: Ten new vulnerabilities, the most serious of which could enable code of an attacker's choice to be run on a server.

What's wrong with the /. hype machine these days? First it takes 2 days to post the news, then they understate the scope of the problems.
1. Re:it's actually 10... by RedWolves2 · 2002-04-11 16:15 · Score: 0, Redundant
  
  It is Microsoft! Does it matter if they get the news right? They are going to get bad mouthed no matter what the news is.
2. Re:it's actually 10... by Dr.+Tom · 2002-04-11 16:38 · Score: 3, Insightful
  
  Yeah, when the announcement first came out they rejected it because it was evidence that MS is delivering on the promises they made. Now, two days later, late at night, it slipped in accidentally as an MS bashing article. Duh.
  They should be applauding MS for biting the bullet and announcing these flaws. MS could have kept them secret, you know. This sort of press will only hurt the chances of more companies being more open with their security issues.
  Shame, shame..
3. Re:it's actually 10... by Anonymous Coward · 2002-04-11 16:41 · Score: 0
  
  Had MS tried to keep these secret, the people who discovered them (not MS, despite your crazy conspiracy theory) would have released the details.
  
  In case you don't know, eEye and @stake are not Microsoft.
  
  WRT the MS security audit: You'll note that its been going on for two months, and they haven't realeased a single advisory. Either they're hiding vulnerabilities (fixes will be quietly slipped into the next service pack, no doubt) or in 2 months they didn't find a single flaw. You be the judge.
4. Re:it's actually 10... by linzeal · 2002-04-11 17:40 · Score: 1
  
  why is this in developers when it should be on the front page ? tim stop with the crack already ;)
  
  --
  An Education is the Font of All Liberty
Failure, or success? by tswinzig · 2002-04-11 16:18 · Score: 4, Insightful

This can be spun many ways. Could it be that Microsoft found these ten flaws thanks to their month of heavy code checking in February, and are working on fixes for them?

I mean, why is it a failure to find flaws and fix them? If you're trying to get trustworthy computing, seems like it's a failure if you don't fix any flaws.

--

"And like that ... he's gone."
1. Re:Failure, or success? by Anonymous Coward · 2002-04-11 19:22 · Score: 0
  
  From another AC: In case you don't know, eEye and @stake are not Microsoft.
2. Re:Failure, or success? by Beltza · 2002-04-11 22:20 · Score: 1
  
  The acknowledgements in the Technet article do not only mention eEye and @stake. Entrust, Zenomorph, LAC SNS and Jubii A/S are also mentioned. In total they account for 7 bugs. This leads to the simple conclusion that Microsoft has detected 3 of the 10 bugs themselves!
  
  --
  Brain Tags |
MS found these bugs first! by Dr.+Tom · 2002-04-11 16:32 · Score: 2, Insightful

You idiots, these bugs were found BY the Trustworth Computing campaign. MS just spent two months doing a code review and this is the RESULT.
This is either just self-serving MS bashing on the part of the editors, or is just another stupid cock-up.
Similarly, the rumor is that Hailstorm was put on the chopping block partly because of unresolvable security issues (though that's not the public story).
All of this is evidence that they are finally getting their house in order.
1. Re:MS found these bugs first! by Perdo · 2002-04-11 16:38 · Score: 1, Flamebait
  
  All of this is evidence that they are finally getting their house in order.
  
  You admit that microsoft's house was out of order. And by using the word "getting" you imply that they are not there yet. All while the alternative's houses are in order...
  
  So why bother with IIS?
  
  --
  If voting were effective, it would be illegal by now.
2. Re:MS found these bugs first! by Dr.+Tom · 2002-04-11 16:44 · Score: 1, Insightful
  
  MS admitted it first. I think they should be praised for that. Note that I do not use any MS products.
3. Re:MS found these bugs first! by Anonymous Coward · 2002-04-11 16:44 · Score: 1, Informative
  
  Since when are @stake and eEye part of Microsoft?
4. Re:MS found these bugs first! by Anonymous Coward · 2002-04-11 16:47 · Score: 0
  
  Oh please, as if there are no bugs in anybody's software except Microsoft's. Stay on topic and flame the idiot who can't understand that this is the result of MS' internal code audit.
5. Re:MS found these bugs first! by Popocatepetl · 2002-04-11 16:58 · Score: 3, Informative
  
  Microsoft did not find (at least some of) these holes. Did you follow any of the links in the original post??? Going to Microsoft Security Bulletin MS02-18, we find the following:
  
  Acknowledgments
  Microsoft thanks the following people for reporting this issue to us and working with us to protect customers:
  
  Below that you see a list of people and organizations who reported holes.
6. Re:MS found these bugs first! by Anonymous Coward · 2002-04-11 17:36 · Score: 0
  
  It's not about no bugs or all bugs. It's about less bugs. IIS repeatably has more bugs than Apache.
7. Re:MS found these bugs first! by dhopton · 2002-04-11 21:51 · Score: 1
  
  I suggest you go back and read it. Yes, some of the fixes were found by third parties, but the rest were infact found by MS. Whether this is because of the security review or because they were looking at the code to fix the 3rd party found bugs, and stumbled accross them, we dont know. I dont think we have seen the result of the security review yet.
  
  The win2k codereview is happening at a slightly differnt pace compared to windows.net.
8. Re:MS found these bugs first! by DrSkwid · 2002-04-11 22:24 · Score: 2
  
  MS admitted it first.
  
  eh? MS has had holes for years and yet the admit it in 2002 and you suggest that's first?
  
  --
  There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Because the company insists :( by Anonymous Coward · 2002-04-11 18:36 · Score: 2, Insightful

I'm an IT admin at a Fortune 500 company. I like my job, and I like my employer, so I'm posting anonymously.

We use Microsoft because the company insists on it. I've been working here since 1999, and we've been using MS products exclusively since the day I got here; I assume it was that way before I got on the scene as well. Our web servers are all NT machines with IIS, and, I might add, all are properly licensed out the ying-yang. There's been a serious push over the past few months to ensure licensing compliance.

It's all about the suits, folks. The CEO, CTO (sigh), CFO, and COO all use Microsoft products, so they assume Microsoft is it. They won't even entertain the thought of alternatives - not even the CTO (sigh again) - because they've never tried the alternatives. Microsoft has succeeded, in our company as well as plenty of others, at setting the precedent. Microsoft is like corporate crack, the first time's free, after that you pay through the nose (in more ways than one).

I've tried to convince both my manager and the CTO to switch to either Linux or FreeBSD several times. My manager is somewhat receptive but his manager (the CTO) nixes the idea outright every time. Because he's never used Linux, BSD, or any other open source operating system. Microsoft is all he's ever known and probably all he ever will know. And thus Microsoft is all he's willing to trust or invest in.

It's sad, really, and I think this situation is pervasive throughout every industry. The real problem is that you get "CTOs" who are 60 years old and completely out of touch with technology - but companies won't hire knowledgeable geeks as CTOs, because they're "too young" to hold executive positions. It's a catch-22 if I've ever seen one and I think Microsoft knows it damn well.

The rich get richer, the old get older, and the informed geeks get nowhere. Same old status quo.
1. Re:Because the company insists :( by morgajel · 2002-04-12 01:00 · Score: 1
  
  what I've found works if get another machine in there(with bosses permission of course- it could be a 266 with 64 megs of ram, or a laptop even), and tell him you wish to run squid cache proxy for the office to test it out... tell him that it'll be a cut on the huge bandwidth costs(if they're as clueless as you implied).
  
  After that, run samba on it. Show him how you can use it as a file sharing device. get your immediate boss really warmed up to the Idea. Shovel the regular propaganda.
  
  then one day have the CTO walk in as your "completing" some heavy task. when he asks what your doing, say you just broke some sort of backup record by cutting it in half. when he asks how, begin shoveling the propaganda. tell him that if they had all the machines on linux, he'd save the company $X in yearly licensing fees...do some quick math- company pays $X to microsoft/2 (for the machines that just aren't replacable at the moment), which would look real good to his bosses, and he'd probably get a fat bonus.
  
  Tell him if he's interested, you could show him a "test box"(complete with kde 3.0). Tell him how linux has a 24 hour support staff(IRC) and developers around the world constantly working to improve it 24 hours a day. say that it's de-centrallized, so there's no forced upgrades, etc... think it out before you say it tho. don't act excited tho. basically say, "hey, you can make a huge-ass bonus from this if your TRY it." if you don't like it, we can switch back. it's good enough for IBM, so maybe we should try."
  
  this may or may not work, but it worked on my parents and my girlfriend:)
  
  --
  Looking for Book Reviews? Check out Literary Escapism.
Finding security holes is good... by aozilla · 2002-04-12 00:57 · Score: 2

Or are you suggesting that if you don't find the security holes, that they aren't there?

--
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Why isn't MS hacked? by Anonymous Coward · 2002-04-12 02:18 · Score: 0

Assuming they use their own products, why don't we hear more about MS getting hacked into. Seems like that would get the most attention from the hackers and the public.
Don't Be A Bully by 4of12 · 2002-04-12 05:07 · Score: 2

I mean, IIS has such a grand history of security lapses that 8 more are probably only a few percent more. It hardly seems newsworthy it's become so common.

I suppose, though, it's important that people know about flaws in the products they buy.

But I have to shake my head at any outfit that still uses IIS if they have important company information at stake anywhere near the web server.

With Apache 2 out of beta the same week as these IIS vulnerabilities, there's a doubly good excuse to try out Apache. Since it's free and open source, there's nothing holding you back except investing a little of your time.

Go for it!

After trying out Apache this weekend, you won't lose sleep trying to guess how many more vulnerabilities are in IIS future.

"Eight less than before" is cold comfort.

--
"Provided by the management for your protection."
2 things by mgkimsal2 · 2002-04-13 06:15 · Score: 2

One - people don't generally pay a 'yearly' license fee for most software. It may work out this way with upgrades, but MS seems to be roughly every 2-3 years for an upgrade cycle.

"24 hour support desk" = IRC? That's a really good line. Honestly, there's lots of good reasons to switch, but that's not a good one.

Also - do, or do not. There is no try. :) (been dying to quote Yoda for years!)

--
creation science book
Correct me if I"m wrong, but... by quintessent · 2002-04-14 09:27 · Score: 2

If IIS 6 is not vulnerable, wouldn't that mean Microsoft's initiative is working?

--
Donate background CPU time to fight cancer.