Slashdot Mirror
Serious IIS Hole; Minor X Bug
EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
The X bug is very serious. It's possible to set up a web site that will cause any X based computer looking at it to crash. But it's not a microsoft product so I expect the majority of people here will just ignore it and carry on bashing microsoft products as usual.
Sig is taking a break!
I think you're wrong here, since Microsoft was always very, very good at feeling out the vibes of their customer base. The current perception in the marketplace is, that Microsofts security is beyond rotten. Since even the Gartner Group got on the bandwaggon, Microsoft seems to be scared shitless about that public perception.
The problem is the same as the sorcerers apprentice, who just can't get rid of the monsters anymore.
For years and years Microsoft has (overladden-) their products with features and bloat. They missed the internet entirely and when they realised their mistake they rushed an inherently insecure internet platform into the market and during all this time they didn't give a flying f*ck about security.
I agree, that Microsoft is an extremely arrogant company, that regards their customer base as cows to be milked and taken for a ride in every way possible.
The problem is that perception is changing and so they are frantically trying to restore trust; they can't let such glitches happen by purpose.
I think it's too late though to call the monsters back in and even worse:
It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
I am pretty sure this bug has been in Bugzilla for months without being fixed. However, bugzilla-search seems to be broken so I cannot prove it right now.
However, I am 100% positive I crashed my machine due to a remotely exploitable X bug using Mozilla a few months back. That bug is in bugzilla (search on crash, X, css, hensema when bugzilla search works again).
This is your sig. There are thousands more, but this one is yours.
How come nobody is posting a quick source patch? WTF? Isn't that one of the great things about open source?
You have all the code. It shouldn't be too hard to find the few places that you need to cap font size.
Where's all the programmers?
Let's not stir that bag of worms...
As pointed out in several posts to Bugtraq, yes, the actual bug is in X (probably in libXfont) but Mozilla is a program that retrieves untrusted data across a network and, as such, has a responsibility to reject or sanitize data that could cause problems. The old Internet maxim is, "Be liberal in what you accept and conservative in what you send," but that doesn't mean you shouldn't also do some sanity checking.
--Phil (Ardent Bugtraq follower.)
355/113 -- Not the famous irrational number PI, but an incredible simulation!