Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Websites Affected By Unpatched Flaw in Microsoft IIS 6 Web Server (pcworld.com)

Posted by msmash on from the security-woes dept.

A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used. From a report on PCWorld: The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003. Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.

4 of 91 comments (clear)

  1. Re:Microsoft Web Server? by KiloByte · · Score: 1, Informative

    Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

    Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

    You're missing the baseball/handegg/etc tickets someone high in your company got.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  2. Re:Microsoft Web Server? by phantomfive · · Score: 3, Informative

    Nginx wasn't around when the website was created.
    It doesn't matter how secure your OS is if you're running a vulnerable web server. If you open telnet on OpenBSD, you can consider yourself pwned.
    Nginx has a better record that IIS, but you know, it's not perfect. Maybe you can run a proxy in front of it to defend against security vulns.

    --
    "First they came for the slanderers and i said nothing."
  3. Re:No offense but by thegarbz · · Score: 3, Informative

    but you can still run apache(1) if you choose to

    I assume you're talking about an Apache v1.x release. That would make you just as much an idiot as those whom you are mocking. The last Apache v1.x release was 1.3.42 and has been EOL for 5 years longer than IIS 6.

    And no you can't just blindly upgrade either. Apache 2 dropped support for some OSes putting you in exactly the same boat, upgrade the OS or run an unpatched leaky sieve of a web server.

    Only idiots think 5 years is a long time.

    For critical infrastructure only idiots would run something for decades beyond it's support life. Especially something as bloody simple and easy to upgrade as a web server.

  4. Re:Use Linux by thegarbz · · Score: 3, Informative

    Use. Linux.

    And what would that bring? Apache has the same support life as IIS.

    IIS 6 and Windows 2003 came out in 2003 EOLed in 2015
    Apache 2.0 and Linux 2.4.19 came out in 2003 EOLed in 2013 and 2012 respectively.

    Silly take home message: You get a year longer support with MS.

    Real take home message: Not using MS doesn't make you any less stupid of a system admin if you don't update your public facing software and run current in service life systems.