Millions of Websites Affected By Unpatched Flaw in Microsoft IIS 6 Web Server

A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used. From a report on PCWorld: The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003. Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.

Microsoft Web Server?

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

Re:Microsoft Web Server?

You can't understand this because you don't have a Masters of Business Administration degree.

Re:Microsoft Web Server?

[KiloByte]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

You're missing the baseball/handegg/etc tickets someone high in your company got.

Re:Microsoft Web Server?

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

- "It's working, why would we buy a new server?"
- "That's a business-critical application that has to run on Microsoft(tm) Windows(tm) Internet-Information-Server(tm), touch it and you're fired"
- "Just install a securiy-patch or something and stop whining"
- "what???? Windows2003 is end-of-life? Never heard of that, we need at least two years to plan a migration to Windows 2008.... oh fuck, that's also going eol next month???"

Re:Microsoft Web Server?

Company requirement is my reason!

Re:Microsoft Web Server?

[phantomfive]

Nginx wasn't around when the website was created.
It doesn't matter how secure your OS is if you're running a vulnerable web server. If you open telnet on OpenBSD, you can consider yourself pwned.
Nginx has a better record that IIS, but you know, it's not perfect. Maybe you can run a proxy in front of it to defend against security vulns.

Re:Microsoft Web Server?

"No, lieutenant, your servers are already dead" -- Agent Smith

Re:Microsoft Web Server?

[mandark1967]

This pretty much summed up our last CIO Meeting.

Re: Microsoft Web Server?

[cyber-vandal]

Because rewriting all your ASP.NET apps to run under nginx costs a lot for little noticeable business benefit.

Re: Microsoft Web Server?

when u get pwn3d i'll like to hear you make some type of business case for windows vs openbsd

Re:Microsoft Web Server?

[ilsaloving]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Off the top of my head:
-Dependency on a microsoft technology from that era, eg ActiveX
-The application it runs was made by a consulting company and cannot be upgraded/replaced with something else without undo cost
-Because the administrator was/is a Minesweeper Consultant and Solitaire Expert who doesn't know anything about this linux stuff
-There is no administrator at all and the server is basically some dust-collecting artifact somewhere, running forever until the hardware fails.

Re: Microsoft Web Server?

Undo cost? Have you tried ctrl-z?

Re:Microsoft Web Server?

[WaffleMonster]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

When most of these systems were created there were basically only two options. Apache or IIS.

Apache forked worker processes to handle each incoming web request separately. This gave it high reliability vs IIS as sloppiness or programming defects simply vanished when a forked process died.

With IIS errors accumulated until IIS went bonkers and crashed.

Yet apache sucked for data driven applications because you couldn't maintain connection/application state in-process without running some kind of proxy to something having equivalent complexity and consequences of simply running a web server in-process to begin with.

Now tools and process models are significantly more advanced across the board regardless of individual platform preferences.

Re: Microsoft Web Server?

I'll put an unpatched Netware 4.12 server **directly on the internet** before I ever put *anything* windows-related on there.

And yeah, you can run Nginx just fine under Netware. It compiles as clean as a baby's ass using WATCOM C/++.

Re:Microsoft Web Server?

[thegarbz]

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Maybe because Nginx wasn't even released when Windows 2003 and IIS 6 were?

It is quite desirable to run something rather than nothing when you have to serve up a webpage.

It is even more desirable if you're a 100% MS shop.

And running Apache / Linux or Nginx / OpenBSD doesn't make you any less stupid if you don't upgrade your software to a current supported release.

Re:Microsoft Web Server?

Because OpenBSD is a nice proof of concept and not a production ready server, since you know it doesn't even support SMP, and the devs are vehemently against virtualization.

Re: Microsoft Web Server?

[phantomfive]

I'll put an unpatched Netware 4.12 server **directly on the internet**

That's a good idea. No one will know how to hack into it over IPX.

Re: Microsoft Web Server?

[cyber-vandal]

It's pretty easy really. Does the software (third party and in house) that we need to run our business run on OpenBSD? No. Is there an equivalent? No. How much will it cost to rewrite everything? Tens of millions and huge disruption. Ok we'll pay a fraction of that to threat mitigation companies instead. I have nothing against OpenBSD. It's an excellent piece of software, but there are so many things it doesn't run. If Windows could be replaced so easily it already would have been.

Re:Microsoft Web Server?

[Billly+Gates]

Try running 1st build of nginx from last decade and let me know how that security is?

Re: Microsoft Web Server?

Granted I'm retired from IT due to disability but while I was still working 2 1/2 years ago some of my clients were simply not in a financial position to migrate off server 2003 at that time. In their case, their business had been spun off from working with a hospital. It was an obgyn. While they were doing very well they were still running a tight budget. They simply didn't have the funds and yes they had to run Windows due to the software they were using and there was no Linux based version. Now I do know that they eventually upgraded to newer versions of Windows Server. Sometimes businesses have no choice but to stick with the older versions.

I know this might surprise some Linux warriors but some people use the best tool for the job and that isn't always Linux distro flavor of the day. You have to accept your clients environment and work with it as best your can.

-GeekPoet

There's nothing you can do about idiot admins

[Viol8]

Extended support finished 2 years ago yet apparently there are still many admins (I used that term advisedly) running public facing websites who think its perfectly acceptable to run this software. This is beyond moronic but short of giving them all a royal kick up the backside I can't see a solution unless the companies involved fancy paying MS $$$ for a fix just for them.

Re:There's nothing you can do about idiot admins

Extended support finished 2 years ago yet apparently there are still many admins (I used that term advisedly) running public facing websites who think its perfectly acceptable to run this software.

and even more bosses who don't want to spend money on a (working) system that said admin has been whining about for half a decade, that it should be replaced...

Re: There's nothing you can do about idiot admins

The admins are no longer there. They've been laid off. The boxes run themselves and have been hacked by 6 botnets.

Re:There's nothing you can do about idiot admins

[bill_mcgonigle]

You'll be hard pressed to find even a Windows admin who wants to run 2003-era stuff now. But due to the high cost of Windows infrastructure , reluctant beancounters, and their lack of political savvy they have neither the manpower nor the budget to upgrade, and lack the confidence to quit over it.

Sure it's based on bad decisions from the past, but today they are paying the bill. And that cost may be having all of their private data exfiltrated.

The weak and foolish perish - same as always.

Re:There's nothing you can do about idiot admins

[known_coward_69]

this is more about idiot developers who go all autistic at the thought of having to lift a finger to change code that won't work on newer versions of IIS

Re:There's nothing you can do about idiot admins

Idiot developer is right. I'm not an expert web developer, but to me, coupling the web application to the web server seems like a terrible idea. Whoever did that needs to be clobbered with extreme prejudice.

At work, we run an nginx-uwsgi-django stack. I can pretty much swap any of those components out without breaking the other. Live. With split-second downtime.

In fact, that is what we did at some point. We threw out Apache and it's crappy wsgi implementation and put this in place with minimal effort. The application didn't notice a thing (other than running way faster than before, but that's another story).

"In theory", the programmer doesn't have to lift a finger if he built things right in the first place. Of course, these are web developers we are talking about...

Re:There's nothing you can do about idiot admins

Think if you could swap any of those components to their 2003 counterpart. Would it still work? I don't think so.

We do have scripts that still think they are deploying to IIS6 when in fact it's IIS9 (or whatever server 2012r2 has) and it still works.

Re:There's nothing you can do about idiot admins

For me it's always been a management problem; previous job I inherited several IIS 6 websites I had to maintain. They did break with the upgrade to IIS 7, but at my level at the time I didn't get to make decisions. It would have taken an estimated 2 weeks to fix the problems and test it out - practically no time at all! Yet over and over I was told don't work on it, it's running fine as is and there are other projects that are priority. Meanwhile 2 years go by and the thing never got upgraded, there was always another priority...I left the company, but I wouldn't be surprised if that was still going on...

Re:There's nothing you can do about idiot admins

[WaffleMonster]

Idiot developer is right. I'm not an expert web developer, but to me, coupling the web application to the web server seems like a terrible idea.

IIS applications use well known published interfaces same as your uwsgi application.

Re:There's nothing you can do about idiot admins

[phantomfive]

Think if you could swap any of those components to their 2003 counterpart. Would it still work?

Apache sure would.

Re:There's nothing you can do about idiot admins

[Billly+Gates]

Fuck em

I quit because of this. Server 2003 IS NOT SUPPORTED. It should be a HIPPA and PCI problem as how can you secure something that is not patched.

The IT directors need to know and get involved. Imagine a ransomware infection?

Re:There's nothing you can do about idiot admins

[Billly+Gates]

Why would developers need to get involved? Asp.net is supported on more modern versions of IIS

Re: There's nothing you can do about idiot admins

You didn't quit shit, liar.

Re:There's nothing you can do about idiot admins

[Gr8Apes]

Imagine a ransomware infection?

It'd be hard, the ransomware would fail - expected function 'n' not available, crash....

Re:There's nothing you can do about idiot admins

[Cramer]

The issue is not the server, per se, but the components that can only be run from that old version. I have a few of those still around (toshiba pbx management engine: you give it its own VM and never fuck with any part of it! Shut down the VM when it's not being used.)

if he built things right in the first place

WRONG. Obviously you aren't a programmer, nor do you know any. Functions get changed, renamed, deprecated, and removed. No matter how well you write your java craplet, changes in the JRE will eventually break it. I have a desktop full of various versions simply because apps can't work with newer versions. The same is true of perl, python, and php applications on Linux.

From 2003?

[MobyDisk]

independent web server surveys suggest that IIS 6.0 still powers millions of public websites

Whaa?? Who runs a public web site on a 14-year old version of the server???? That site claims 8 million of them!

Re:From 2003?

In reality there are not millions of sites actually vulnerable as WebDAV has to be enabled (not a majority and not in millions).

shodan.io only shows ~53 that actually have Sharepoint enabled IIS6 sites which would be likely to have WebDAV enabled.

Overblown media hype.

Re:From 2003?

[thegarbz]

Is the website still working? It looks okay on my 4k LCD screen so it must be running just fine. Why would you want money to upgrade something which works just fine?

Signed
Pointy Haired Boss.

Re:From 2003?

[StormReaver]

Whaa?? Who runs a public web site on a 14-year old version of the server????

There are plenty of dumb people who still think that Windows belongs in a public-facing capacity. It doesn't matter which version of Windows you use to underpower your Web server. You were screwed the moment your management decided to use Microsoft.

Re:From 2003?

[Gr8Apes]

Whaa?? Who runs a public web site on a 14-year old version of the server????

There are plenty of dumb people who still think that Windows belongs in a public-facing capacity. It doesn't matter which version of Windows you use to underpower your Web server. You were screwed the moment your management decided to use Microsoft.

Absolutely. Microsoft and servers do not belong in the same sentence.

No offense but

But that's what you get for choosing a MS product.
As comparison: apache moved on to apache2 but you can still run apache(1) if you choose to, no matter the OS.
Its worse enough having to upgrade your servers to a new OS every few years. Its even worse to upgrade all web and database stuff to newer and usually not backward compatible stuff.
Only idiots think 5 years is a long time. Plenty stuff out there survives a few decades. Its not the new and shiny stuff that rules the cyberspace world but more often than not the ancient rusty but oiled cogwheels.

Re:No offense but

Oh you fucking moron. This was from 2003. They have had two years to move. This is their problem and they get to wallow in it. You sound lazy.

Re:No offense but

[BradleyUffner]

No, that's what you get for choosing a MS product that has been unsupported for 2 years now. Modern versions are just fine.

Re:No offense but

[thegarbz]

but you can still run apache(1) if you choose to

I assume you're talking about an Apache v1.x release. That would make you just as much an idiot as those whom you are mocking. The last Apache v1.x release was 1.3.42 and has been EOL for 5 years longer than IIS 6.

And no you can't just blindly upgrade either. Apache 2 dropped support for some OSes putting you in exactly the same boat, upgrade the OS or run an unpatched leaky sieve of a web server.

Only idiots think 5 years is a long time.

For critical infrastructure only idiots would run something for decades beyond it's support life. Especially something as bloody simple and easy to upgrade as a web server.

Re:No offense but

Apache 2 dropped support for some OSes putting you in exactly the same boat

What does "support" have to do with anything? It's free software. Compile it for your "unsupported" OS.

You get what you deserve

If you're running a website on IIS you deserve to be hacked.

Use Linux

[stooo]

Use. Linux.

Re:Use Linux

[liooth]

This answer is as dumb, as it can get by biological means; not sure, if a specialized AI could beat that...

It's not about Windows vs. Linux, it's about management vs. IT. A 14 year old Linux server will not fare any better, in fact, it's a lot easier to build a shitty server with Linux than it is with Windows. I've done web servers with VMS, OS/2, Unix, Windows and Linux and you can build decent servers with any system, as long as you know, what you're doing. The key has always been to convince the CFO, that it's worth it to keep the system up-to-date...

Re:Use Linux

[hcs_$reboot]

This answer is as dumb, as it can get by biological means

Yeah, but you know on Linux people don't have to worry about the cost of a web server/OS - and when a patched or new version comes on the horizon. nobody thinks twice before upgrading (IIS depends biologically upon its OS, and often an IIS upgrade requires an OS upgrade).

This answer is as dumb, not sure, if a specialized AI could beat that...

If an AI can beat that, it's definitely not dumb!

Re:Use Linux

Linux forces you on a constant upgrade treadmill, though admittedly, the treadmill is free. But then you're left to the whim of some random package maintainer who decides to deprecate a library you need to compile your LOB app. The worst part is, because of the dependency hell in Linux, your package manager will fuckup your versioning (or worse, go into a infinite dependency check loop) if you decide to get the older shared library. If you want to get off the treadmill, then you need to pay someone like RedHat...

I rather like the easy nature of Windows where I can just copy my LOB executable onto any windows machine and it just works. This simple task is impossible on Linux and will continue to remain impossible in the foreseeable future.

Re:Use Linux

[liooth]

Yeah, but you know on Linux people don't have to worry about the cost of a web server/OS

Depending on your scope of responsibility and the number of customer systems, licensing costs are your least concerns. Right now, I'm in charge of ~150 Linux servers and ~40 Windows servers. The customers on Windows had no problems with 30 minutes of downtime on a Wednesday night (they know Windows update!), but the Linux customers were bitching around like puberting teenagers...

- and when a patched or new version comes on the horizon. nobody thinks twice before upgrading (IIS depends biologically upon its OS, and often an IIS upgrade requires an OS upgrade).

You never had to deal with C-level, right?

This answer is as dumb, not sure, if a specialized AI could beat that...

If an AI can beat that, it's definitely not dumb!

It has to be really smart to appear dumber... :)

Re:Use Linux

[thegarbz]

Use. Linux.

And what would that bring? Apache has the same support life as IIS.

IIS 6 and Windows 2003 came out in 2003 EOLed in 2015
Apache 2.0 and Linux 2.4.19 came out in 2003 EOLed in 2013 and 2012 respectively.

Silly take home message: You get a year longer support with MS.

Real take home message: Not using MS doesn't make you any less stupid of a system admin if you don't update your public facing software and run current in service life systems.

Re:Use Linux

[DrStrangluv]

I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS. Sure, you can in-place upgrade linux to a new version of the distro, but Windows allows in-place upgrades now, too. You have to pick your poison here. If you are updating, you're gonna have some of the same stability and migration issues on linux that you'll have going to a new version of Windows. If you're not updating, you're eventually running into the same security issues you get running old Windows. As far as *real* long-term stability goes, a linux server might run for a few years without a reboot, but IIS clusters well enough, and Windows can guarantee you a decade of security updates for a platform. I have to get it the edge here.

Additionally, if you're hosting yourself, and you run VMs, once you've licensed data center edition on the basic hardware, you can spin up as many Windows VMs on that hardware as you need at no extra cost. Really. The basic data center license doesn't cost as much as you seem to think it does. My last purchase was about $200. That's a rounding error even for a startup. I'm in the Ed market, so I get a pretty good discount, but this isn't that far away from the typical. Big customers get extreme volume discounts, small startups can take advantage of programs like BizSpark, and there's a reasonable plan for most of the rest in the middle.

Re:Use Linux

[liooth]

Don't get me wrong: I'm not "pro-Windows" or "pro-Linux" in any way. They both are valid options, but you have to consider the consequences. Keeping a Linux system up-to-date is a bit more work than a Windows system, but the Linux ecosystem is a bit more "snappier" about security issues...

We should agree on a simple fact: running a webserver on a 14yr old system just isn't a good idea!

Re:Use Linux

[DickBreath]

It is about how you deploy the application. I was going to describe in more detail what I am doing, but it would be too long. In short, you deploy everything together on top of the OS. That is, in my case, I can change the Java runtime and Tomcat server as easily as upgrading the application. (In a nutshell: nothing is installed. Just folders with scripts that point to everything by pathname. Unpack new java runtime folders and new tomcat servers, alter script pathnames, etc. If the OS happens to be Windows, additional step of a script to uninstall service and reinstall service.)

Now the only thing that is an issue to upgrade is the OS. Minor upgrades can be done along the way. But major upgrades can be done every few years without much effort. Just set up new VM in parallel, set it up with a simple copy of the entire folder structure of what I described above, and switch over. (You're doing this on a staging server first, aren't you?)

Automate as much as possible. If I ever have to cluster this with two or more application servers, then I will look at using some container technology to automate the deployment of the OS. But that is not a reality yet.

What I have described is a single application server that uses some other database server (separate topic) which is not all that different from an app on IIS. Except that you can't just swap out IIS by unpacking a new folder and changing a pathname. And if the new server doesn't work out, just change the pathname to point back to the old server and restart the server (not the OS). Or if the new Java version didn't work out (but I can't imagine why) just change pathname to point to the old one, etc.

Becuase the cost to change out things is so low it is never a topic that comes up with management. I always have everything up to date. This is an app that can have short scheduled downtimes. I use a lot of automatation but not containers as of today. Downtimes are 1 to 2 minutes unless there is a database upgrade such that downtime is 15 to 20 minutes.

And you test everything on stating first. Two days earlier you get backups of all the live production databases (without interrupting live operation) and restore them on the staging system. Then test out the entire upgrade including database upgrades. That way you have high confidence your db upgrades work. (And if for some reason it ever were to fail, you restore the backups you made before you started upgrading. (you made backups right?) And leave the application un-upgraded. But this hypothetical plan has never been needed.)

It's really about planning. Before the application ever went live you should have been thinking about how do you upgrade the entire mess, end to end. Frequently. And quickly with short downtime. (Different practices are needed if you can not ever have short downtimes. But I don't live in that world yet.)

Re:Use Linux

[Bert64]

Linux is more modular, the components are available with source code and the updated versions are both free and more likely to still be compatible with your existing hardware...

If you absolutely must keep an old version of linux running you have options - you can update the externally facing services yourself (eg nothing to stop you installing the latest openssh on an ancient linux kernel), you can patch and rebuild older source yourself, you can remove things you don't need to decrease the attack surface.

Upgrades being free, plus most software coming with source code decreases the number of instances where a system is stuck running an old version of linux, in fact most instances of old linux out there are in the form of embedded devices which generally have a stripped down attack surface anyway.

Re:Use Linux

So basically if you don't want to be forced to constantly upgrade your distro, you're forced to hire kernel devs, or atleast a team of people that can vet and test each patch. And then you cheerleaders want to claim Linux is "free". Yeah OK buddy. This is why the majority of people prefer Windows.

Re: Use Linux

[buchanmilne]

"I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS."

You haven't heard of Red Hat, or CentOS?

RHEL5 reached end of standard support yesterday, after just over 10 years. Extended support is available for anothwr 2.5 years:
https://access.redhat.com/supp...

CentOS 5/6/7 have the same lifecycle:
https://linuxlifecycle.com/

  https://wiki.centos.org/About/...

  "Windows can guarantee you a decade of security updates for a platform. I have to get it the edge here."

Only because you seem uninformed or too lazy to do any research.

"Additionally, if you're hosting yourself, and you run VMs, once you've licensed data center edition on the basic hardware, you can spin up as many Windows VMs on that hardware as you need at no extra cost."

Red Hat has similar options, and subscriptions on their RHEV+unlimited supported VMs gives you the same capabilities as VMWare vSphere Enterprise for less than just the vSphere licensing/SnS (so you basically get unlimitrd supported VMs for free).

I didn't compare to HyperV because MS was anal enough about licensing a Windows VM for the vCenter server (must pay per CPU-month for every CPU that could potentially run the VM) that we migrated as soon as possible to the vCenter Server Appliance because we spent almost as much licensing one Windows VM as on vSphere for a 6-machine vSphere cluster.

Of course, if you don't need support, you can run ovirt (community version of RHEV) on CentOS (or Debian) with unlimited CentOS (or Ubuntu or Debian) VMs, for no software cost. Or there are other options for containet-based clusters.

ASP.NET, C# and .NET are actually quite good.

I suppose you've never used ASP.NET or C# or .NET at any point.

Well, it turns out that they're actually quite good. Their biggest drawback, until recently, was that they were only supported on Windows.

But in terms of functionality, they're even still lightyears ahead of anything the open source community has managed to create.

ASP.NET is a sane, sensible way of building large-scale web applications and web APIs. It provides useful abstractions, but without going totally overboard like so many Java web frameworks do. You won't be drowned in design pattern hell. But it also provides more structure than most PHP frameworks provide. Yet it isn't as inflexible and opinionated as Ruby on Rails is. It's as close as anyone has gotten to a practical balance.

C# is an excellent programming language. It took the best parts of languages like Java and C++, but discarded a lot of their failures. It's a much, much, much better language than PHP or Ruby or JavaScript. It has a great blend of strictness where it's useful, but while also being extraordinarily flexible when that's needed. .NET as a runtime is fast, light and performs very well. It puts the JVM to shame, and it blows the various Ruby and JavaScript interpreters/VMs to pieces. It also includes a complete and sane standard library. The only other library I've ever seen that comes close is Python's. It's hard to go back to Java's standard library after using .NET's, just because Java's ends up looking so inconsistent and dumb so much of the time.

Microsoft does a lot wrong, but ASP.NET, C# and .NET are some things that they've done so much better than anyone else, and nobody has caught up yet. The open source communities are still dicking around with PHP, Ruby on Rails, and worst of all, Node.js, none of which are anywhere near as good as what Microsoft has created.

Now we're seeing Microsoft port these technologies to Linux and macOS, which gets rid of their main drawback: the need for Windows.

Aside from using legacy applications, it's getting to the point where technologies like Ruby on Rails, PHP and Node.js should be seen as obsolete, as the cross-platform technologies Microsoft is now providing are so much better.

Re:ASP.NET, C# and .NET are actually quite good.

Absolutely! I would stack MS products up against their FOSS equivalents any day, but there is one tiny problem:

You need to run them on Windows. Deal killer.

Re:ASP.NET, C# and .NET are actually quite good.

You need to run them on Windows. Deal killer.

It's not 2005 any longer. Modern versions of ASP.NET, C# and .NET Core run on Windows, Linux and macOS, in addition to being open source.

Here are some links to browse if you're interested in getting up to date:
- https://www.asp.net/open-source
- https://github.com/microsoft/dotnet
- https://github.com/aspnet
- https://dotnetfoundation.org/
- https://www.microsoft.com/net/core#linuxredhat
- https://www.microsoft.com/net/core#macos

Even SQL Server is being ported to Linux.

The Microsoft of 2017 is not the Microsoft of the early 2000s.

Re:ASP.NET, C# and .NET are actually quite good.

[PPH]

This may be so. And I'm not going to get pulled into a discussion of how good/bad .NET and its minions are. But it raises the question of why these organizations haven't moved up to a current, supported version of Windows Server and IIS.

Re:ASP.NET, C# and .NET are actually quite good.

[phantomfive]

I spent a couple years doing ASP.NET back in its heyday. I thought it was an over-engineered curiosity. Things like replacing standard HTML elements with ASP specific tags seemed bizarre. It sent so much data back to the server on every request that it felt bloated and wasteful.

But now.......compared to many popular frameworks, with whole pages written in Javascript (or non-standard JSX), or the bloated mess that is Angular, it seems positively genius. The <UpdatePanel> thing made Single Page Apps easy, long before Node.js was a thing.

The sad thing is that Microsoft has drunk the coolaid. Internally some of their teams are moving away from ASP.NET, and are going with Javascript frameworks. EntityFramework is dog slow, and while C# is a fine language if you like the Java family of languages, it's still has the feel of being a COBOL replacement (much like Java). They are all built for the same purpose.

Re:ASP.NET, C# and .NET are actually quite good.

[guruevi]

Please add sarcasm tags to your post.

Re:ASP.NET, C# and .NET are actually quite good.

Because quality of .NET aside, the community surrounding the technology is full of ignoramuses who applaud their own ignorance. The current article is just another datapoint.

Re:ASP.NET, C# and .NET are actually quite good.

[DrStrangluv]

If you're thinking pre-MVC web forms, ASP.Net is a whole different animal these days, and it's just about as nice as the author claims.

Re:ASP.NET, C# and .NET are actually quite good.

[phantomfive]

If you're thinking pre-MVC web forms

No.

Re:ASP.NET, C# and .NET are actually quite good.

.NET as a runtime is fast, light and performs very well.

Aahhhahahaha!!! Oh, you were serious? .NET is none of those things. Have a look at your windows updates history, count the number of versions and patches to .NET and their size.

Write a simple multi-process application with .NET and one with straight C, then load test them both.

Shit like this getting modded +5 Insightful is exactly what is wrong with the Slashdot moderation(censorship/shill) system.

Let me guess,you;re a processor sales rep for Intel? A memory sales rep for Samsung? That would explain this kind of shit.

Re:ASP.NET, C# and .NET are actually quite good.

[Gr8Apes]

ASP.NET sucked badly, even when people thought it was good. It was merely another attempt by MS to take over a standard. The koolaid JS framework of the day is no better, we certainly agree there. And UpdatePanel didn't show up until 2007? seriously? Guess we were ahead of our time. C# as a language is kind of schizophrenic - is it C, C++, or Java? Which is it? All 3? And if you doubt this, try writing secure system software with C#. It can't be done. You'll be in C so often you might as well write everything in it and save yourself the context changes.

Re:ASP.NET, C# and .NET are actually quite good.

[phantomfive]

And UpdatePanel didn't show up until 2007? seriously? Guess we were ahead of our time

I don't think any other framework has something like that, but maybe I'm wrong.

Re:ASP.NET, C# and .NET are actually quite good.

[Gr8Apes]

It wasn't a framework, at least not one available publicly, but we built a web component in JS that essentially was an in place AJAX application that only loaded once back in 2004. I fully admit I freely built off of Google's suggest feature, a few weeks after it came out. I've since built a couple of variations of this concept in several different frameworks across the years for a number of customers and employers. At least a couple I know of are still using those apps. Now, is it as clean as a single control like UpdatePanel? I'll have to admit I haven't used that particular component, so I couldn't say. But it was simple enough to create Prototype/jQuery based JS combined with SpringMVC applications or wholly encapsulated JSF based applications that did exactly that. Don't get me wrong, JSF anything sucks royally, but sometimes you don't get to choose. Straight JS with a backing server wasn't hard either. Simple concept, really, once realized, much like a wheel.

Re:ASP.NET, C# and .NET are actually quite good.

[phantomfive]

That's an interesting idea, maybe I'll try it.
The updatePanel is great because you don't have to do anything other than surround a desired section of HTML with an <UpdatePanel> tag and then anything inside it will get updated without a reload of the page.

Re:ASP.NET, C# and .NET are actually quite good.

[Gr8Apes]

That's pretty much the same thing with the particular JSF implementation we used. Since the server has the page representation, it controls what's sent down when something changes. The trick was in adding the appropriate pieces in the JSF based controls to enable the server partial pushes. I believe this particular feature is no longer possible because the implementation we used actually broke the JSF spec if you used it the way we did, and the "fix" was to refresh the page on update, precisely what we didn't want.

Re:ASP.NET, C# and .NET are actually quite good.

[phantomfive]

That's pretty much the same thing with the particular JSF implementation we used.

I should probably look around harder, there are surely other frameworks that do it, too

It works so its used

Like the question why do some still use Windows XP? Well the answer is the same, it works and so why change and spend money when it works. Lot's of old hardware still chugging along and probably not well maintained either. Frankly this ideal linux would be any different if your using old unsupported code is not understanding the problem. Its the fact nobody is doing anything that's the problem. Sure they could switch to a modern linux server, could upgrade. Lot of old tech out there and many reasons why it is.

Re:this is why i host my webzones on godaddy.com

[kilodelta]

Well yeah they are rock solid. I left IIS a very long time ago as I realized what an insecure piece of crap it was.

WebDAV

WebDAV isn't enabled by default on IIS 6.0, nor is it a dependency of any of the major dynamic content generating extensions like ASP.NET. So the number of actual sites affected by this should be relatively limited.

IIS 6.0 is 14 years old and no longer under support. NIST lists 10 vulnerabilities targeting IIS 6.0 (including major extensions) in all that time, including this one. That's a damned good track record.

Their own fault

No sympathy or pity for the owners of these systems. You don't expose unsupported operating systems or applications to the public internet.

As a reference on how outdated this is, I believe this OS was contemporary to the 2.6 kernel---which is also no longer maintained.

Hopefully, if services are down/degraded, their customers will understand how this problem was---and drop them.

The security on XP/2003 was very modest by modern standards, so everyone should have upgraded a long time ago. Enterprise should be migrating to Windows 8/10 or Server 2012/2016.

Another notch for Windows

It seems like the upsides of running an IIS/Windows stack were SO MUCH more than the downsides that people actively stick to using it, even if it means using an older buggier unsupported version...

Re:There's nothing you can do about IDIOT MBAs

[Billly+Gates]

Problem is the guys in suits. Not the geeky admin. Unless there is a ROI it won't ever be upgraded. They work fine. Worse if they outsource to India to cut costs. These contract companies care more to appear cheap and brown nose their MBA clients than fix shit.

I left my last employer. One of the biggest but not sole reason was their shit never worked and I was always blamed. We have HIPPA requirements and freaking run them off IE 6 and store files on server 2003! Worse I replaced the tape drives 3 times because they are 11 years old. I was to blame for reliability, performance, and security. Document shit you get a write up. The MBAs need to make the client happy so shut up etc.

IT wasn't always considered a cost sink like it is today. The great recession really swung the pendulum too far in the other direction from 1999 in the good old days. It's time it swung back and failing insecure infrastructure mixed with IT geeks quiting might swing it back

Don't run WebDAV

[mr_java66]

Don't run WebDAV on IIS 6.0. If you have not stopped already, stop now. Ok, all fixed, now, back to security.

Use hsots file

Most efficient ad & threat blocker there is

APK Hosts File Engine 9.0++ SR-5 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads & malware rob speed, security & privacy

Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively

Host&s stops all traffic even better than a fierwall to unknown hosts and ports all while us less powr

Hosts better than AV at detecting malicious software and stop$ in tracks

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity

* Using what you already NATIVELY have, built into your TCP/IP stack running in FASTOR kernelmode!

Able to keep Grandm4 and you kid sister out of your porn stash

Generate nightly when I sodomize my cat

So simple it won't actually provide any protectin that a small child couldn't get around

APK

P.S. - Safe because it will only keep script kiddies at bay on the best day

Use Hosts instead for bettr fastr protetion

Most efficient ad & threat blocker there is

APK Hosts File Engine 9.0++ SR-5 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads & malware rob speed, security & privacy

Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively

Host&s stops all traffic even better than a fierwall to unknown hosts and ports all while us less powr

Hosts better than AV at detecting malicious software and stop$ in tracks

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity

* Using what you already NATIVELY have, built into your TCP/IP stack running in FASTOR kernelmode!

Able to keep Grandm4 and you kid sister out of your porn stash

Generate nightly when I sodomize my cat

So simple it won't actually provide any protection that a small child couldn't get around

APK

P.S. - Safe because it will only keep script kiddies at bay on the best day

Re: Use Hosts instead for bettr fastr protetion

This is about servers, you incompetent buffoon.

I have to ask...

[hAckz0r]

Serious question. What did Microsoft screw up so badly that nobody ever upgraded to a "better" (?) or more secure server?

Impersonating me AGAIN 2nd time? LOL!

See subject: You're reduced to impersonating me w/ bogus posts (or downmodding my real posts) & can't prove me wrong technically so yes, I am winning. 2nd time today was here too loser https://yro.slashdot.org/comments.pl?sid=10435839&cid=54153797/ & I catch them all - you can't win (I do because you always lose, loser).

APK

P.S.=> Thanks whoever you are impersonating me - you're tipping your hand you can't get the better of me... apk

slaves

act like a slave, get treated like a slave. windows users deserve every hack they get. stupid fucks.