Slashdot Mirror
Eight New Security Holes in IIS
TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."
only eight?
Then I guess according to Oracle its UNBREAKABLE.
THERE IS NO DATA. THERE IS O
By not informing the public of the holes until they have released a (faulty?) patch, they are demnonstrating incredibly quick turnaround time.
Of course, in the meantime, all of the IIS systems are vulnerable (able to be vulnered).
Why is Grand Theft Auto a much more serious crime than Reckless Driving?
I can understand if Microsoft would create a decent product, buy after hearing root hole after root hole, WHO WOULD WANT TO USE THIER PRODUCT?
Even MS sysadmins should have some sort of idea that this web server is horrid in terms of security. So MS Sysads, WHY DO YOU USE THIS???
Slashdot:
0 11151.htm / 020410hnflaws.xml
Eight new security holes in IIS
Any Site with Journalistic integrity:
Microsoft fixes Eight new security holes in IIS
http://geek.com/news/geeknews/2002apr/gee20020411
http://www.infoworld.com/articles/hn/xml/02/04/10
"I am a goat fucker!" -Richard Stallman, 1994
A bit of MIT/LCS lore here.
RMS used to live on the 7th floor of LCS. That's where he used to have his office before he resigned in protest over the commercialization of something or another. But they let him keep his office, and he lives there, because he refuses to have an apartment. (Given the rent rates in Cambridge, the assholeness of most landlords, I don't blame him. Rather than live in my office, I chose to move to Texas, and the change in rent rates and lack of state income tax resulted in an immediate %25 pay raise. RMS doesn't have that option because we have the death penalty for people like him down here.)
Anyway, RMS has or had a number or geek chick groupies. I wouldn't call any of the ones I've seen "hot", really -- well except for this one little psycho jewish undergrad from NYC. He would sleep with them on the sofa in his office. That's why he got kicked out off floor 7, and down to the 3 floor, is that the cleaning staff complained about pulling used condoms out from behind the sofas. No joke. You can use this information for trolling if you wish, but it's all true.
RMS has a phobia of water that prevents him from showering. This is part of this post I know from first hand experience, because I myself have observed him taking a sponge bath in the 3d floor mens room in LCS. Apparently once he had a girlfriend who he was totally in love with, and she convinced him to take one shower a week. It was a traumatic experience for him each time.
RMS also has a phobia of spider plants. When RMS starts bothering a grad student and going to his office and talking to him constantly and getting him to spend all his time writing free software, the grad student will complain to someone on the floor, and they'll let them in on the secrete -- get a spider plant in your office. The next time RMS drops by, his eyes will bulge a little and he'll say " Umm. . . I wanted to talk to you about hacking some elisp code . . . why don't you stop by my office sometime ?" and make a hasty exit.
One of his more nasty habits is picking huge flakes of dandruff out of his hair while talking to you. At least he doesn't eat them, like some people I know.
Now, I know everyone loves to make fun of RMS, and I'm feeding that a bit here, so I'd just like to say that I think he really is a genius, on the order of Socrates (another filthy slob who couldn't keep a normal living arrangement, and lived in a barrel) or Ghandi or Ezekiel. Everything he has ever said to me, while sounding naive and idealistic and stupid at the time, turned out to later be correct.
The only thing I fear in his philosophy is his interest in reducing population growth. Everyone else I know of who was obsessed with that "problem" turned out to have facist or totolitarian tendencies, and I think that the problem will solve itself as more and more of the world moves into a middle class type existence.
But on everything else, bitter experiences have taught me he is right. I will not use any non-GPLd or lGPLd software, and I look forward to being able to buy only "open" hardware. I would like to see software patents completely eliminated, and with the development of digitial communication, I see no reason why shouldn't simply repeal all of Title 17 and do away with all copyrights. They just aren't needed. I expect to spend much of my life being paid to write software, and I just don't see copyrights has helping me in anyway.
between the sysadmins and the worm writers.
If history is any guide, the sysadmins will lose, badly.
It's an IIS gangbang!
It seems to me that the Trustworthy Computing campaign is succeeding. They found 8 new bugs, and fixed them (well, they didn't find all 8, but they did find some of them...).
Yes, it would be better if they didn't have any bugs in the first place, and yes, it would be a lot better if they would announce the bugs before they had the patches ready, but you can't say that the months of code review failed after they actually found something.
I would be a lot more worried if they didn't find any bugs...
-Mike
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-018.asp
/. hype machine these days? First it takes 2 days to post the news, then they understate the scope of the problems.
Impact of vulnerability: Ten new vulnerabilities, the most serious of which could enable code of an attacker's choice to be run on a server.
What's wrong with the
This can be spun many ways. Could it be that Microsoft found these ten flaws thanks to their month of heavy code checking in February, and are working on fixes for them?
I mean, why is it a failure to find flaws and fix them? If you're trying to get trustworthy computing, seems like it's a failure if you don't fix any flaws.
"And like that
This is either just self-serving MS bashing on the part of the editors, or is just another stupid cock-up.
Similarly, the rumor is that Hailstorm was put on the chopping block partly because of unresolvable security issues (though that's not the public story).
All of this is evidence that they are finally getting their house in order.
I'm an IT admin at a Fortune 500 company. I like my job, and I like my employer, so I'm posting anonymously.
We use Microsoft because the company insists on it. I've been working here since 1999, and we've been using MS products exclusively since the day I got here; I assume it was that way before I got on the scene as well. Our web servers are all NT machines with IIS, and, I might add, all are properly licensed out the ying-yang. There's been a serious push over the past few months to ensure licensing compliance.
It's all about the suits, folks. The CEO, CTO (sigh), CFO, and COO all use Microsoft products, so they assume Microsoft is it. They won't even entertain the thought of alternatives - not even the CTO (sigh again) - because they've never tried the alternatives. Microsoft has succeeded, in our company as well as plenty of others, at setting the precedent. Microsoft is like corporate crack, the first time's free, after that you pay through the nose (in more ways than one).
I've tried to convince both my manager and the CTO to switch to either Linux or FreeBSD several times. My manager is somewhat receptive but his manager (the CTO) nixes the idea outright every time. Because he's never used Linux, BSD, or any other open source operating system. Microsoft is all he's ever known and probably all he ever will know. And thus Microsoft is all he's willing to trust or invest in.
It's sad, really, and I think this situation is pervasive throughout every industry. The real problem is that you get "CTOs" who are 60 years old and completely out of touch with technology - but companies won't hire knowledgeable geeks as CTOs, because they're "too young" to hold executive positions. It's a catch-22 if I've ever seen one and I think Microsoft knows it damn well.
The rich get richer, the old get older, and the informed geeks get nowhere. Same old status quo.
I just saw it on my Microsoft Baseline Security Analyzer ©®(TM):
.NET ©®(TM).
View Security Report
Sort Order: Score (worst first)
Computer name: MYADSDOMAIN \WindozePeeCee
IP address: 225.-1.65535.1
Security Report Name: MYADSDOMAIN - WindozePeeCee (04-12-2002)
Scan date: 12/04/2002 12:00AM
Hotfix database version: v2.0.10^23+[1/(planks constant)]
Security assessment: Sever Risk (As usual)
Windows Scan Results
Vulnerabilities
Windows Hotfixes
1. Local Account Passwords are simple or Weak. Please change them to something overtly convoluted and difficult to remember. It wont matter anyway because the Active Directory Server©®(TM) you authenticate against is probably not patched.
2. IIS©®(TM) Installed. Please update to Apache 1.3.24 or 2.0.35
3. JRE 1.4 is installed. Wow. That's even more bloated than the first revision of
4. Auto-login is enabled. This is inherently dangerous because this OS has no inkling as to what multi-user means, for whatever reason, everyone is a su-doer.
5. Passwords are too short. This is weak because the domain controller isn't patched. If you are running Samba 2.2, please disregard this. We can't tell the difference.
6. File systems. They all appear to be running NTFS. Good (you should have two UPS for this. If its get corrupted, snicker.........)
7. Your Cell Phone, Palm Device, monitor, printer, hub, DSL router, joystick, speakers, KVM, other PCs, scanner and filing cabinet do not have Client Access Licenses.
© 1999 - 2009 (We paid of the US DOJ until then, they only take kick in decade increments), All your rights are belong to us.
Or are you suggesting that if you don't find the security holes, that they aren't there?
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Assuming they use their own products, why don't we hear more about MS getting hacked into. Seems like that would get the most attention from the hackers and the public.
I mean, IIS has such a grand history of security lapses that 8 more are probably only a few percent more. It hardly seems newsworthy it's become so common.
I suppose, though, it's important that people know about flaws in the products they buy.
But I have to shake my head at any outfit that still uses IIS if they have important company information at stake anywhere near the web server.
With Apache 2 out of beta the same week as these IIS vulnerabilities, there's a doubly good excuse to try out Apache. Since it's free and open source, there's nothing holding you back except investing a little of your time.
Go for it!
After trying out Apache this weekend, you won't lose sleep trying to guess how many more vulnerabilities are in IIS future.
"Eight less than before" is cold comfort.
"Provided by the management for your protection."
One - people don't generally pay a 'yearly' license fee for most software. It may work out this way with upgrades, but MS seems to be roughly every 2-3 years for an upgrade cycle.
:) (been dying to quote Yoda for years!)
"24 hour support desk" = IRC? That's a really good line. Honestly, there's lots of good reasons to switch, but that's not a good one.
Also - do, or do not. There is no try.
creation science book
If IIS 6 is not vulnerable, wouldn't that mean Microsoft's initiative is working?
Donate background CPU time to fight cancer.