Slashdot Mirror
Eight New Security Holes in IIS
TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."
By not informing the public of the holes until they have released a (faulty?) patch, they are demnonstrating incredibly quick turnaround time.
Of course, in the meantime, all of the IIS systems are vulnerable (able to be vulnered).
Why is Grand Theft Auto a much more serious crime than Reckless Driving?
I can understand if Microsoft would create a decent product, buy after hearing root hole after root hole, WHO WOULD WANT TO USE THIER PRODUCT?
Even MS sysadmins should have some sort of idea that this web server is horrid in terms of security. So MS Sysads, WHY DO YOU USE THIS???
Slashdot:
0 11151.htm / 020410hnflaws.xml
Eight new security holes in IIS
Any Site with Journalistic integrity:
Microsoft fixes Eight new security holes in IIS
http://geek.com/news/geeknews/2002apr/gee20020411
http://www.infoworld.com/articles/hn/xml/02/04/10
It seems to me that the Trustworthy Computing campaign is succeeding. They found 8 new bugs, and fixed them (well, they didn't find all 8, but they did find some of them...).
Yes, it would be better if they didn't have any bugs in the first place, and yes, it would be a lot better if they would announce the bugs before they had the patches ready, but you can't say that the months of code review failed after they actually found something.
I would be a lot more worried if they didn't find any bugs...
-Mike
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-018.asp
/. hype machine these days? First it takes 2 days to post the news, then they understate the scope of the problems.
Impact of vulnerability: Ten new vulnerabilities, the most serious of which could enable code of an attacker's choice to be run on a server.
What's wrong with the
This can be spun many ways. Could it be that Microsoft found these ten flaws thanks to their month of heavy code checking in February, and are working on fixes for them?
I mean, why is it a failure to find flaws and fix them? If you're trying to get trustworthy computing, seems like it's a failure if you don't fix any flaws.
"And like that
This is either just self-serving MS bashing on the part of the editors, or is just another stupid cock-up.
Similarly, the rumor is that Hailstorm was put on the chopping block partly because of unresolvable security issues (though that's not the public story).
All of this is evidence that they are finally getting their house in order.
I'm an IT admin at a Fortune 500 company. I like my job, and I like my employer, so I'm posting anonymously.
We use Microsoft because the company insists on it. I've been working here since 1999, and we've been using MS products exclusively since the day I got here; I assume it was that way before I got on the scene as well. Our web servers are all NT machines with IIS, and, I might add, all are properly licensed out the ying-yang. There's been a serious push over the past few months to ensure licensing compliance.
It's all about the suits, folks. The CEO, CTO (sigh), CFO, and COO all use Microsoft products, so they assume Microsoft is it. They won't even entertain the thought of alternatives - not even the CTO (sigh again) - because they've never tried the alternatives. Microsoft has succeeded, in our company as well as plenty of others, at setting the precedent. Microsoft is like corporate crack, the first time's free, after that you pay through the nose (in more ways than one).
I've tried to convince both my manager and the CTO to switch to either Linux or FreeBSD several times. My manager is somewhat receptive but his manager (the CTO) nixes the idea outright every time. Because he's never used Linux, BSD, or any other open source operating system. Microsoft is all he's ever known and probably all he ever will know. And thus Microsoft is all he's willing to trust or invest in.
It's sad, really, and I think this situation is pervasive throughout every industry. The real problem is that you get "CTOs" who are 60 years old and completely out of touch with technology - but companies won't hire knowledgeable geeks as CTOs, because they're "too young" to hold executive positions. It's a catch-22 if I've ever seen one and I think Microsoft knows it damn well.
The rich get richer, the old get older, and the informed geeks get nowhere. Same old status quo.
Or are you suggesting that if you don't find the security holes, that they aren't there?
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I mean, IIS has such a grand history of security lapses that 8 more are probably only a few percent more. It hardly seems newsworthy it's become so common.
I suppose, though, it's important that people know about flaws in the products they buy.
But I have to shake my head at any outfit that still uses IIS if they have important company information at stake anywhere near the web server.
With Apache 2 out of beta the same week as these IIS vulnerabilities, there's a doubly good excuse to try out Apache. Since it's free and open source, there's nothing holding you back except investing a little of your time.
Go for it!
After trying out Apache this weekend, you won't lose sleep trying to guess how many more vulnerabilities are in IIS future.
"Eight less than before" is cold comfort.
"Provided by the management for your protection."
One - people don't generally pay a 'yearly' license fee for most software. It may work out this way with upgrades, but MS seems to be roughly every 2-3 years for an upgrade cycle.
:) (been dying to quote Yoda for years!)
"24 hour support desk" = IRC? That's a really good line. Honestly, there's lots of good reasons to switch, but that's not a good one.
Also - do, or do not. There is no try.
creation science book
If IIS 6 is not vulnerable, wouldn't that mean Microsoft's initiative is working?
Donate background CPU time to fight cancer.