Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious IIS Hole; Minor X Bug

Posted by michael on from the truthworthy-computing dept.

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

13 of 467 comments (clear)

  1. DOS Mozilla users??? by Xpilot · · Score: 5, Funny


    Wow, I didn't know that Mozilla had a DOS version! How many users does it have? Three?

    --
    "Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
  2. Only affects HTR - a rarely used feature by byolinux · · Score: 5, Informative

    This is hardly a major bug IMHO... "an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP." "The IIS Lockdown Tool disables this functionality by default. Customers who have retained the functionality but deployed the URLScan tool as discussed in Microsoft Security Bulletin MS02-018 would likewise be protected against the vulnerability." So, it only really affects those sysadmins who don't bother to lock their server down. It's not going to be a major issue for the majority.

    --
    Join the Free Software Foundation
  3. Incorrect ! by dnaumov · · Score: 5, Informative
    This article is incorrect. That bug is an XFRee bug and not a Mozilla bug. It's not fixed, although it's possible that it's been worked around in Mozilla. Read the text itself, I think it says:
    X-windows, with or without the font server (XFS) running can be crashed remotely via Mozilla when fonts are set to an unnaturally large size with CSS (Cascading Style Sheets), Tom Vogt of Lemuira.org has reported.

    and
    "An X bug allows all available memory to be consumed, which causes the system to freeze. The behavior can be duplicated with applications like the Gimp, we're told, but these aren't remotely exploitable. But with Mozilla, a pest can easily set up a malicious Web site which will crash unsuspecting Tuxers' boxen and cause any unsaved data in open apps to go away.
  4. Sick and tired of this self congratulation by matusa · · Score: 5, Insightful

    OK, is anyone else sick of the inane way in which we compliment ourselves continuously?

    Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?

    What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?

    If you think we can laugh at others, check those market share figures. We have a lot of work to do.

  5. Re:Serious Linux Flaw? by Tim+C · · Score: 5, Informative

    You can use the ulimit command to set an upper limit on the memory available to any process started by the shell under which it is issued.

    Just putting something like ulimit -m 200000 in your startx script should limit X's memory usage to 200meg.

    ulmit can also set upper limits on available CPU time, core file size, etc. Bash has a builtin version, so do man bash and look for ulimit for more details.

    --
    It's official. Most of you are morons.
  6. Re:What rubbish by krmt · · Score: 5, Insightful
    I agree that the X bug is very serious (and I'm particularly worried about it because Debian doesn't even have the newest XFree86 revision in it, so where am I going to get the patch for this) but there is a difference in terms of the problem.

    This is a lot easier to exploit for the malicious hacker than the IIS bug. You just set up a page with huge fonts and that it, you've crashed X. But the payoff for that is a laugh at the (relatively) rare X user who visits your site.

    As for the IIS bug, I'll just quote the Wired article...
    Microsoft acknowledged a serious flaw Wednesday in its Internet server software that could allow sophisticated hackers to seize control of websites, steal information and use vulnerable computers to attack others online.
    This, in my opinion, is a lot worse than simply crashing X. Hell, my Windows 98 crashes almost daily but that doesn't stop me from using it. Crashing isn't so bad. Black Hats stealing information and gaining control of my computer, that's bad.
    --

    "I may not have morals, but I have standards."

  7. Re:This goes to show... by CaptainZapp · · Score: 5, Interesting
    The fact is Microsoft doesn't give a damn, because it doesn't need to give a damn anymore. Windows in its various forms continues to have outrageous security holes [...]

    I think you're wrong here, since Microsoft was always very, very good at feeling out the vibes of their customer base. The current perception in the marketplace is, that Microsofts security is beyond rotten. Since even the Gartner Group got on the bandwaggon, Microsoft seems to be scared shitless about that public perception.

    The problem is the same as the sorcerers apprentice, who just can't get rid of the monsters anymore.

    For years and years Microsoft has (overladden-) their products with features and bloat. They missed the internet entirely and when they realised their mistake they rushed an inherently insecure internet platform into the market and during all this time they didn't give a flying f*ck about security.

    I agree, that Microsoft is an extremely arrogant company, that regards their customer base as cows to be milked and taken for a ride in every way possible.

    The problem is that perception is changing and so they are frantically trying to restore trust; they can't let such glitches happen by purpose.

    I think it's too late though to call the monsters back in and even worse:

    It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence.

    --
    ich bin der musikant

    mit taschenrechner in der hand

    kraftwerk

  8. Serious money in this. by WasterDave · · Score: 5, Funny

    It strikes me that there might be some quite serious money in these "agreements with Microsoft". In a post dotcom world, it's a pretty plausible business plan:

    * Find holes in MS software.
    * Publicise them frantically.
    * Come to "an agreement".
    * Kachingggggg!

    Dave

    --
    I write a blog now, you should be afraid.
  9. The Killer App by krmt · · Score: 5, Insightful
    My question is, what's open-source's killer app?
    Freedom.

    That's it, pure and simple. Freedom to do what you want with your machine. Freedom from proprietary formats and the hassle of interchanging data with others. Freedom to alter the code in any way you want, or to learn from it. Freedom to participate in more substantial ways than buying and installing some product from off the shelf. Freedom to use your computer as it best suits you, not as it best suits Bill Gates or Steve Jobs.

    This might sound like fluff, but this is the reason why I gave up on Apple years ago, and it's why I've stayed with Linux ever since then. Apple has done some great things in the past few years, and I applaud them for it, but they are still not Free as in Freedom. Yes, I know about Darwin, but what about Aqua? Yes, I know about QTS Server, but what about iMovie? I'm not saying Apple should open these products or that they shouldn't make money, but simply that they're not going to make any more money from me because I will never feel safe with them after they discontinued a raft of great technology. This will not happen with Linux. Ever.

    That's the killer app for me, and I know it's the killer app for others. Microsoft and Apple will never fully offer that freedom, and as a result I can never trust them fully. They might have more innovative products, but it doesn't matter. Quickdraw GX was innovative. So was Opendoc. And the original Cocoa project (kid's programming environment that I dearly miss). Where are these projects now? Innovation doesn't matter. Just that you're there, and free stuff will always be there, whether it's GPL or BSD or whatever, so long as it's Free as in Freedom. That's a far more powerful killer app than any I've ever heard of.
    --

    "I may not have morals, but I have standards."

  10. Three days? Rather a bit longer.... by Erik+Hensema · · Score: 5, Interesting

    I am pretty sure this bug has been in Bugzilla for months without being fixed. However, bugzilla-search seems to be broken so I cannot prove it right now.

    However, I am 100% positive I crashed my machine due to a remotely exploitable X bug using Mozilla a few months back. That bug is in bugzilla (search on crash, X, css, hensema when bugzilla search works again).

    --

    This is your sig. There are thousands more, but this one is yours.

  11. Not me. by Per+Abrahamsen · · Score: 5, Insightful
    Slashdot is and has always been an advocacy site, and has never prentended to be anything else.

    It presents the GNU/Linux and free software side, which is a small step towards bringing balance, as we do not have the big advertisement budgets to buy editorial good will, or money to order favorable rewievs from "the customer is always right" analysis companies.

    What I am getting tired of is the the people who whine that slashdot is not Ars Technica or kuro5hin, both excellent web places with a different focus than slahsdot.

    What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation?
    What do you mean "we", white man? I have "taken advantage of" 2D gfx hardware under Unix for longer than slashdot (or Linux) has existed.

    or the fact that fonts still look like ass?
    They fonts don't look "like ass" on my screen. I guess what you want is anti-aliasing. The free technology for that is awailable, it is just a question of installing it. Maybe your OS distributor have done it for you in a sufficiently recent version.
  12. Um, then why does it matter? by Sycle · · Score: 5, Insightful

    If people don't apply patches, fixes, updates and security recommendations, then Microsoft could have released a fix in 2 seconds, and it still won't do any good.

    Linux and other open source software aren't impervious to bugs being discovered either, they just respond faster - so the lesson here is simply "if you're an idiot, you can get '0wn3d' on any OS".

    Yeah it sucks that Microsoft take two months to fix an exploit, but if it only affects a service that would have been switched off already if you followed instructions, then it's not *that* big of a deal.

  13. Open Source business plan finally complete by DeadMeat+(TM) · · Score: 5, Funny
    You've done it!

    1. Write open-source software
    2. Find holes in MS software, publicize them frantically, and come to "an agreement"
    3. Profit!