Slashdot Mirror

← Back to Stories (view on slashdot.org)

WebDAV Buffer Overflow Attack Compromises IIS 5.0

Posted by timothy on from the what-this-old-thing dept.

rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.

3 of 367 comments (clear)

  1. It's clear that you don't understand security... by marick · · Score: 0, Troll

    WebDAV is more like a VPN. Sure, you COULD set it up poorly and give everybody access to all your documents.

    On the other hand, using any number of authentication schemes (including through an LDAP server, behind a firewall), you can lock it down as tightly as you'd like. And yes, it runs over HTTPS as well as HTTP, so even your port 80 crack is laughable.

    Or perhaps you think all web-based applications are inherently insecure? (I'd like some evidence to back this one up)

  2. Re:OK, so how about by The+Bungi · · Score: 0, Troll
    And you complain about balance. Look in the mirror.

    Yeah, I guess I have to try harder.

  3. Re:Bullshit by NineNine · · Score: 1, Troll

    It's not the holes, it's the policy. IIS runs as LocalSystem by default.

    So what? You can run IIS under any user. Also, NTFS has very granular file level permissions. It's no less secure than Apache. Default settings do not have a whole hell of a lot of bearing on the quality of an app in my book. That's why they're settings... they can be changed.