Eight New Security Holes in IIS

← Back to Stories (view on slashdot.org)

Eight New Security Holes in IIS

Posted by timothy on Thursday April 11, 2002 @03:26PM from the nobody's-perfect dept.

TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."

6 of 46 comments (clear)

Min score:

Reason:

Sort:

Ridiculous headline by Anonymous Coward · 2002-04-11 15:52 · Score: 3, Insightful

Slashdot:
Eight new security holes in IIS

Any Site with Journalistic integrity:
Microsoft fixes Eight new security holes in IIS

http://geek.com/news/geeknews/2002apr/gee200204110 11151.htm
http://www.infoworld.com/articles/hn/xml/02/04/10/ 020410hnflaws.xml
trustworthy computing fails again? by mikemulvaney · 2002-04-11 16:08 · Score: 3, Insightful

It seems to me that the Trustworthy Computing campaign is succeeding. They found 8 new bugs, and fixed them (well, they didn't find all 8, but they did find some of them...).

Yes, it would be better if they didn't have any bugs in the first place, and yes, it would be a lot better if they would announce the bugs before they had the patches ready, but you can't say that the months of code review failed after they actually found something.

I would be a lot more worried if they didn't find any bugs...

-Mike
it's actually 10... by seigniory · 2002-04-11 16:12 · Score: 4, Informative

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-018.asp

Impact of vulnerability: Ten new vulnerabilities, the most serious of which could enable code of an attacker's choice to be run on a server.

What's wrong with the /. hype machine these days? First it takes 2 days to post the news, then they understate the scope of the problems.
1. Re:it's actually 10... by Dr.+Tom · 2002-04-11 16:38 · Score: 3, Insightful
  
  Yeah, when the announcement first came out they rejected it because it was evidence that MS is delivering on the promises they made. Now, two days later, late at night, it slipped in accidentally as an MS bashing article. Duh.
  They should be applauding MS for biting the bullet and announcing these flaws. MS could have kept them secret, you know. This sort of press will only hurt the chances of more companies being more open with their security issues.
  Shame, shame..
Failure, or success? by tswinzig · 2002-04-11 16:18 · Score: 4, Insightful

This can be spun many ways. Could it be that Microsoft found these ten flaws thanks to their month of heavy code checking in February, and are working on fixes for them?

I mean, why is it a failure to find flaws and fix them? If you're trying to get trustworthy computing, seems like it's a failure if you don't fix any flaws.

--

"And like that ... he's gone."
Re:MS found these bugs first! by Popocatepetl · 2002-04-11 16:58 · Score: 3, Informative

Microsoft did not find (at least some of) these holes. Did you follow any of the links in the original post??? Going to Microsoft Security Bulletin MS02-18, we find the following:

Acknowledgments
Microsoft thanks the following people for reporting this issue to us and working with us to protect customers:

Below that you see a list of people and organizations who reported holes.