Millions of Websites Affected By Unpatched Flaw in Microsoft IIS 6 Web Server

A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used. From a report on PCWorld: The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003. Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.

Re:Microsoft Web Server?

Why would someone run a Microsoft web server vs. Nginx on OpenBSD?

Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?

- "It's working, why would we buy a new server?"
- "That's a business-critical application that has to run on Microsoft(tm) Windows(tm) Internet-Information-Server(tm), touch it and you're fired"
- "Just install a securiy-patch or something and stop whining"
- "what???? Windows2003 is end-of-life? Never heard of that, we need at least two years to plan a migration to Windows 2008.... oh fuck, that's also going eol next month???"

Re:There's nothing you can do about idiot admins

[bill_mcgonigle]

You'll be hard pressed to find even a Windows admin who wants to run 2003-era stuff now. But due to the high cost of Windows infrastructure , reluctant beancounters, and their lack of political savvy they have neither the manpower nor the budget to upgrade, and lack the confidence to quit over it.

Sure it's based on bad decisions from the past, but today they are paying the bill. And that cost may be having all of their private data exfiltrated.

The weak and foolish perish - same as always.

ASP.NET, C# and .NET are actually quite good.

I suppose you've never used ASP.NET or C# or .NET at any point.

Well, it turns out that they're actually quite good. Their biggest drawback, until recently, was that they were only supported on Windows.

But in terms of functionality, they're even still lightyears ahead of anything the open source community has managed to create.

ASP.NET is a sane, sensible way of building large-scale web applications and web APIs. It provides useful abstractions, but without going totally overboard like so many Java web frameworks do. You won't be drowned in design pattern hell. But it also provides more structure than most PHP frameworks provide. Yet it isn't as inflexible and opinionated as Ruby on Rails is. It's as close as anyone has gotten to a practical balance.

C# is an excellent programming language. It took the best parts of languages like Java and C++, but discarded a lot of their failures. It's a much, much, much better language than PHP or Ruby or JavaScript. It has a great blend of strictness where it's useful, but while also being extraordinarily flexible when that's needed. .NET as a runtime is fast, light and performs very well. It puts the JVM to shame, and it blows the various Ruby and JavaScript interpreters/VMs to pieces. It also includes a complete and sane standard library. The only other library I've ever seen that comes close is Python's. It's hard to go back to Java's standard library after using .NET's, just because Java's ends up looking so inconsistent and dumb so much of the time.

Microsoft does a lot wrong, but ASP.NET, C# and .NET are some things that they've done so much better than anyone else, and nobody has caught up yet. The open source communities are still dicking around with PHP, Ruby on Rails, and worst of all, Node.js, none of which are anywhere near as good as what Microsoft has created.

Now we're seeing Microsoft port these technologies to Linux and macOS, which gets rid of their main drawback: the need for Windows.

Aside from using legacy applications, it's getting to the point where technologies like Ruby on Rails, PHP and Node.js should be seen as obsolete, as the cross-platform technologies Microsoft is now providing are so much better.