Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Downplays IIS Bug Threat

Posted by Soulskill on from the this-is-not-the-bug-you're-looking-for dept.

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

2 of 114 comments (clear)

  1. Serious question by Ash-Fox · · Score: 3, Interesting

    Serious question, has the Apache package even had any bad vulnerabilities like this in the past ten years?

    --
    Change is certain; progress is not obligatory.
    1. Re:Serious question by Twillerror · · Score: 5, Interesting

      Serious answer. Apache is a modular beast and since doesn't get blaimed for modular problems like this.

      There have been issues even bigger in various mods like mod_php.

      Even code red was a problem with Internet printing and not really the core IIS. Maybe IIS should have blocked it and already had URLScan, but ultimately it was just passing a URL along some C++ code that blew up. MS created that .DLL so we can blame MS..but blaiming IIS itself was slightly off.

      The core of both IIS and Apache have been pretty well hardened. Hence why WebDav is turned off in IIS 6. Even .ASP has to be turned on during setup.

      MS puts out it's own mods essentially...where Apache would have a different team working on WebDAV. If the same "exploit" was found in mod_webdav who could we really blame. Yell at the Apache foundation...no we would professionally fix the issue. Maybe some flaimbaiters on the other side would yell..."see open source is less secure".

      Softwares has bugs, some of them are security related. When open source creates them they are presented as bugs...when MS creates them it is some kind of great conspiracy to rule the world. Some guy just like you wrote this bad code and is probably feeling like crap today. Some tester let it get thru and is feeling really crappy today. A bunch of dudes in at both MS and the rest of the security community are pulling up their britches and getting it fixed...move along nothing to really see here.