Slashdot Mirror

← Back to Stories (view on slashdot.org)

WebDAV Buffer Overflow Attack Compromises IIS 5.0

Posted by timothy on from the what-this-old-thing dept.

rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.

7 of 367 comments (clear)

  1. Re:I compromised your mom's ass last night by Anonymous Coward · · Score: -1, Troll

    Hate to break it to you fella but if the mom in question is mine then you were enjoying my sloppy-seconds. Hoo-ya.

  2. Re:Patch? by wiggys · · Score: -1, Troll

    If only Slashdot would post a thread every time something on *n?x needed patching then Slashdot would probably Slashdot iteself!

    --

    Sorry, but my karma just ran over your dogma.

  3. Don't ask, dont tell by Anonymous Coward · · Score: -1, Troll

    MacOS the unhackable military OS.

    nice troll.

    I see some sycophant /. leghumper of a mod even gave you points for it.

  4. It's clear that you don't understand security... by marick · · Score: 0, Troll

    WebDAV is more like a VPN. Sure, you COULD set it up poorly and give everybody access to all your documents.

    On the other hand, using any number of authentication schemes (including through an LDAP server, behind a firewall), you can lock it down as tightly as you'd like. And yes, it runs over HTTPS as well as HTTP, so even your port 80 crack is laughable.

    Or perhaps you think all web-based applications are inherently insecure? (I'd like some evidence to back this one up)

  5. Bullshit by NineNine · · Score: -1, Troll

    That's such a crock of inflammatory, ill-informed bullshit, I don't know where to start. Dumping IIS because of a few security holes is really fucking stupid for a ton of reasons that I don't even have time to go into.

    1. Re:Bullshit by NineNine · · Score: 1, Troll

      It's not the holes, it's the policy. IIS runs as LocalSystem by default.

      So what? You can run IIS under any user. Also, NTFS has very granular file level permissions. It's no less secure than Apache. Default settings do not have a whole hell of a lot of bearing on the quality of an app in my book. That's why they're settings... they can be changed.

  6. Re:OK, so how about by The+Bungi · · Score: 0, Troll
    And you complain about balance. Look in the mirror.

    Yeah, I guess I have to try harder.