Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious IIS Hole; Minor X Bug

Posted by michael on from the truthworthy-computing dept.

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

3 of 467 comments (clear)

  1. Only affects HTR - a rarely used feature by byolinux · · Score: 5, Informative

    This is hardly a major bug IMHO... "an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP." "The IIS Lockdown Tool disables this functionality by default. Customers who have retained the functionality but deployed the URLScan tool as discussed in Microsoft Security Bulletin MS02-018 would likewise be protected against the vulnerability." So, it only really affects those sysadmins who don't bother to lock their server down. It's not going to be a major issue for the majority.

    --
    Join the Free Software Foundation
  2. Incorrect ! by dnaumov · · Score: 5, Informative
    This article is incorrect. That bug is an XFRee bug and not a Mozilla bug. It's not fixed, although it's possible that it's been worked around in Mozilla. Read the text itself, I think it says:
    X-windows, with or without the font server (XFS) running can be crashed remotely via Mozilla when fonts are set to an unnaturally large size with CSS (Cascading Style Sheets), Tom Vogt of Lemuira.org has reported.

    and
    "An X bug allows all available memory to be consumed, which causes the system to freeze. The behavior can be duplicated with applications like the Gimp, we're told, but these aren't remotely exploitable. But with Mozilla, a pest can easily set up a malicious Web site which will crash unsuspecting Tuxers' boxen and cause any unsaved data in open apps to go away.
  3. Re:Serious Linux Flaw? by Tim+C · · Score: 5, Informative

    You can use the ulimit command to set an upper limit on the memory available to any process started by the shell under which it is issued.

    Just putting something like ulimit -m 200000 in your startx script should limit X's memory usage to 200meg.

    ulmit can also set upper limits on available CPU time, core file size, etc. Bash has a builtin version, so do man bash and look for ulimit for more details.

    --
    It's official. Most of you are morons.