Eight New Security Holes in IIS

← Back to Stories (view on slashdot.org)

Eight New Security Holes in IIS

Posted by timothy on Thursday April 11, 2002 @03:26PM from the nobody's-perfect dept.

TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."

8 of 46 comments (clear)

Min score:

Reason:

Sort:

Ridiculous headline by Anonymous Coward · 2002-04-11 15:52 · Score: 3, Insightful

Slashdot:
Eight new security holes in IIS

Any Site with Journalistic integrity:
Microsoft fixes Eight new security holes in IIS

http://geek.com/news/geeknews/2002apr/gee200204110 11151.htm
http://www.infoworld.com/articles/hn/xml/02/04/10/ 020410hnflaws.xml
1. Re:Ridiculous headline by AdamBa · 2002-04-11 16:05 · Score: 2, Insightful
  
  And the part about "MS's 'Trustworthy Computing' campaign has failed once again" is silly. They just reviewed the code in the last couple of months. The new code has not yet been magically transported onto every machine with IIS installed.
  I'm not saying that IIS is not a pile of slop, of course.
  - adam
trustworthy computing fails again? by mikemulvaney · 2002-04-11 16:08 · Score: 3, Insightful

It seems to me that the Trustworthy Computing campaign is succeeding. They found 8 new bugs, and fixed them (well, they didn't find all 8, but they did find some of them...).

Yes, it would be better if they didn't have any bugs in the first place, and yes, it would be a lot better if they would announce the bugs before they had the patches ready, but you can't say that the months of code review failed after they actually found something.

I would be a lot more worried if they didn't find any bugs...

-Mike
Failure, or success? by tswinzig · 2002-04-11 16:18 · Score: 4, Insightful

This can be spun many ways. Could it be that Microsoft found these ten flaws thanks to their month of heavy code checking in February, and are working on fixes for them?

I mean, why is it a failure to find flaws and fix them? If you're trying to get trustworthy computing, seems like it's a failure if you don't fix any flaws.

--

"And like that ... he's gone."
MS found these bugs first! by Dr.+Tom · 2002-04-11 16:32 · Score: 2, Insightful

You idiots, these bugs were found BY the Trustworth Computing campaign. MS just spent two months doing a code review and this is the RESULT.
This is either just self-serving MS bashing on the part of the editors, or is just another stupid cock-up.
Similarly, the rumor is that Hailstorm was put on the chopping block partly because of unresolvable security issues (though that's not the public story).
All of this is evidence that they are finally getting their house in order.
1. Re:MS found these bugs first! by Dr.+Tom · 2002-04-11 16:44 · Score: 1, Insightful
  
  MS admitted it first. I think they should be praised for that. Note that I do not use any MS products.
Re:it's actually 10... by Dr.+Tom · 2002-04-11 16:38 · Score: 3, Insightful

Yeah, when the announcement first came out they rejected it because it was evidence that MS is delivering on the promises they made. Now, two days later, late at night, it slipped in accidentally as an MS bashing article. Duh.
They should be applauding MS for biting the bullet and announcing these flaws. MS could have kept them secret, you know. This sort of press will only hurt the chances of more companies being more open with their security issues.
Shame, shame..
Because the company insists :( by Anonymous Coward · 2002-04-11 18:36 · Score: 2, Insightful

I'm an IT admin at a Fortune 500 company. I like my job, and I like my employer, so I'm posting anonymously.

We use Microsoft because the company insists on it. I've been working here since 1999, and we've been using MS products exclusively since the day I got here; I assume it was that way before I got on the scene as well. Our web servers are all NT machines with IIS, and, I might add, all are properly licensed out the ying-yang. There's been a serious push over the past few months to ensure licensing compliance.

It's all about the suits, folks. The CEO, CTO (sigh), CFO, and COO all use Microsoft products, so they assume Microsoft is it. They won't even entertain the thought of alternatives - not even the CTO (sigh again) - because they've never tried the alternatives. Microsoft has succeeded, in our company as well as plenty of others, at setting the precedent. Microsoft is like corporate crack, the first time's free, after that you pay through the nose (in more ways than one).

I've tried to convince both my manager and the CTO to switch to either Linux or FreeBSD several times. My manager is somewhat receptive but his manager (the CTO) nixes the idea outright every time. Because he's never used Linux, BSD, or any other open source operating system. Microsoft is all he's ever known and probably all he ever will know. And thus Microsoft is all he's willing to trust or invest in.

It's sad, really, and I think this situation is pervasive throughout every industry. The real problem is that you get "CTOs" who are 60 years old and completely out of touch with technology - but companies won't hire knowledgeable geeks as CTOs, because they're "too young" to hold executive positions. It's a catch-22 if I've ever seen one and I think Microsoft knows it damn well.

The rich get richer, the old get older, and the informed geeks get nowhere. Same old status quo.