Slashdot Mirror


Serious IIS Hole; Minor X Bug

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

2 of 467 comments (clear)

  1. Re:Flawed logic by WildBeast · · Score: 1, Flamebait

    Sure, let the user find the bug when he least needs his browser to crash.

    Me, I have no problem with Mozilla's strategy as long as Mozilla is free.

  2. Re:Only affects HTR - a rarely used feature by mosch · · Score: 1, Flamebait
    you're right, a bug in the default configuration surely won't affect many people. So this really only affects sysadmins who don't bother to lock their server down, people who use htr, non-professionally adminned servers, desktops who have IIS enabled accidentally, production servers at colo facilities who wanted to not restrict their customers, any machine at all run by an admin who didn't feel the need to restrict the funcionality they provide to their users really...

    yeah, not many people at all. you fucking retard.