Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious IIS Hole; Minor X Bug

Posted by michael on from the truthworthy-computing dept.

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

2 of 467 comments (clear)

  1. Re:This goes to show... by CaptainZapp · · Score: 5, Interesting
    The fact is Microsoft doesn't give a damn, because it doesn't need to give a damn anymore. Windows in its various forms continues to have outrageous security holes [...]

    I think you're wrong here, since Microsoft was always very, very good at feeling out the vibes of their customer base. The current perception in the marketplace is, that Microsofts security is beyond rotten. Since even the Gartner Group got on the bandwaggon, Microsoft seems to be scared shitless about that public perception.

    The problem is the same as the sorcerers apprentice, who just can't get rid of the monsters anymore.

    For years and years Microsoft has (overladden-) their products with features and bloat. They missed the internet entirely and when they realised their mistake they rushed an inherently insecure internet platform into the market and during all this time they didn't give a flying f*ck about security.

    I agree, that Microsoft is an extremely arrogant company, that regards their customer base as cows to be milked and taken for a ride in every way possible.

    The problem is that perception is changing and so they are frantically trying to restore trust; they can't let such glitches happen by purpose.

    I think it's too late though to call the monsters back in and even worse:

    It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence.

    --
    ich bin der musikant

    mit taschenrechner in der hand

    kraftwerk

  2. Three days? Rather a bit longer.... by Erik+Hensema · · Score: 5, Interesting

    I am pretty sure this bug has been in Bugzilla for months without being fixed. However, bugzilla-search seems to be broken so I cannot prove it right now.

    However, I am 100% positive I crashed my machine due to a remotely exploitable X bug using Mozilla a few months back. That bug is in bugzilla (search on crash, X, css, hensema when bugzilla search works again).

    --

    This is your sig. There are thousands more, but this one is yours.