Serious IIS Hole; Minor X Bug

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

Re:Only affects HTR - a rarely used feature

[mnordstr]

"it only really affects those sysadmins who don't bother to lock their server down"

Which happens to be the majority. If you're lazy enough not to run a real web-server then you're lazy enough not to make it secure.

"an older, largely obsolete scripting technology"

I don't think the script kiddies care about the popularity of the technology, if there's a hole, there's a hole.

Re:Status Quo

[JediTrainer]

A little pet peave of mine.

You mean peeve?

(spelling mistakes are a pet peeve of mine)