Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Eight New Security Holes in IIS 46

Posted by timothy from the nobody's-perfect dept.
TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."
This discussion has been archived. No new comments can be posted.

Eight New Security Holes in IIS More

Eight New Security Holes in IIS

Comments Filter:
  • only eight?

    Then I guess according to Oracle its UNBREAKABLE.
  • They are using 'Trustworthy Computing' in the sense of, "what you don't know can't hurt you."

    By not informing the public of the holes until they have released a (faulty?) patch, they are demnonstrating incredibly quick turnaround time.

    Of course, in the meantime, all of the IIS systems are vulnerable (able to be vulnered).

  • I can understand if Microsoft would create a decent product, buy after hearing root hole after root hole, WHO WOULD WANT TO USE THIER PRODUCT?

    Even MS sysadmins should have some sort of idea that this web server is horrid in terms of security. So MS Sysads, WHY DO YOU USE THIS???

    • Re:Why? (Score:1, Funny)

      by Anonymous Coward
      > I can understand if Microsoft would create a decent product, buy after hearing root hole
      > after root hole, WHO WOULD WANT TO USE THIER PRODUCT?

      Because the next version will fix all the problems in the current one.

      Seriously. Some nitwits still believe that lie from Microsoft.

      That and it will give you a handjob while you configure it. :-)

    • Because the company insists :( (Score:2, Insightful)

      by Anonymous Coward
      I'm an IT admin at a Fortune 500 company. I like my job, and I like my employer, so I'm posting anonymously.

      We use Microsoft because the company insists on it. I've been working here since 1999, and we've been using MS products exclusively since the day I got here; I assume it was that way before I got on the scene as well. Our web servers are all NT machines with IIS, and, I might add, all are properly licensed out the ying-yang. There's been a serious push over the past few months to ensure licensing compliance.

      It's all about the suits, folks. The CEO, CTO (sigh), CFO, and COO all use Microsoft products, so they assume Microsoft is it. They won't even entertain the thought of alternatives - not even the CTO (sigh again) - because they've never tried the alternatives. Microsoft has succeeded, in our company as well as plenty of others, at setting the precedent. Microsoft is like corporate crack, the first time's free, after that you pay through the nose (in more ways than one).

      I've tried to convince both my manager and the CTO to switch to either Linux or FreeBSD several times. My manager is somewhat receptive but his manager (the CTO) nixes the idea outright every time. Because he's never used Linux, BSD, or any other open source operating system. Microsoft is all he's ever known and probably all he ever will know. And thus Microsoft is all he's willing to trust or invest in.

      It's sad, really, and I think this situation is pervasive throughout every industry. The real problem is that you get "CTOs" who are 60 years old and completely out of touch with technology - but companies won't hire knowledgeable geeks as CTOs, because they're "too young" to hold executive positions. It's a catch-22 if I've ever seen one and I think Microsoft knows it damn well.

      The rich get richer, the old get older, and the informed geeks get nowhere. Same old status quo.
      • what I've found works if get another machine in there(with bosses permission of course- it could be a 266 with 64 megs of ram, or a laptop even), and tell him you wish to run squid cache proxy for the office to test it out... tell him that it'll be a cut on the huge bandwidth costs(if they're as clueless as you implied).

        After that, run samba on it. Show him how you can use it as a file sharing device. get your immediate boss really warmed up to the Idea. Shovel the regular propaganda.

        then one day have the CTO walk in as your "completing" some heavy task. when he asks what your doing, say you just broke some sort of backup record by cutting it in half. when he asks how, begin shoveling the propaganda. tell him that if they had all the machines on linux, he'd save the company $X in yearly licensing fees...do some quick math- company pays $X to microsoft/2 (for the machines that just aren't replacable at the moment), which would look real good to his bosses, and he'd probably get a fat bonus.

        Tell him if he's interested, you could show him a "test box"(complete with kde 3.0). Tell him how linux has a 24 hour support staff(IRC) and developers around the world constantly working to improve it 24 hours a day. say that it's de-centrallized, so there's no forced upgrades, etc... think it out before you say it tho. don't act excited tho. basically say, "hey, you can make a huge-ass bonus from this if your TRY it." if you don't like it, we can switch back. it's good enough for IBM, so maybe we should try."

        this may or may not work, but it worked on my parents and my girlfriend:)
        • One - people don't generally pay a 'yearly' license fee for most software. It may work out this way with upgrades, but MS seems to be roughly every 2-3 years for an upgrade cycle.

          "24 hour support desk" = IRC? That's a really good line. Honestly, there's lots of good reasons to switch, but that's not a good one.

          Also - do, or do not. There is no try. :) (been dying to quote Yoda for years!)

  • Ridiculous headline (Score:3, Insightful)

    by Anonymous Coward on Thursday April 11, 2002 @10:52PM (#3327625)
    Slashdot:
    Eight new security holes in IIS

    Any Site with Journalistic integrity:
    Microsoft fixes Eight new security holes in IIS

    http://geek.com/news/geeknews/2002apr/gee200204110 11151.htm [geek.com]
    http://www.infoworld.com/articles/hn/xml/02/04/10/ 020410hnflaws.xml [infoworld.com]

    • Re:Ridiculous headline (Score:2, Insightful)

      by AdamBa ( 64128 )
      And the part about "MS's 'Trustworthy Computing' campaign has failed once again" is silly. They just reviewed the code in the last couple of months. The new code has not yet been magically transported onto every machine with IIS installed.

      I'm not saying that IIS is not a pile of slop, of course.

      - adam

      • They just reviewed the code in the last couple of months.

        You're spinning. Shouldn't they have reviewed the code before it shipped?

        • My point was that the "Trustworthy Computing" initiative had not failed. The previous way is still what is failing now.

          The Trustworthy Computing initiative failures will start showing up next year.

          - adam

    • Although the "news" is that Microsoft released a patch for IIS holes, this headline isn't being untruthful. In order to fix a hole, the hole must exist. So obviously if they are fixing 8 holes, 8 holes previously unknown must have been found. Even if the headline had been "Microsoft fixes eight security holes in IIS", to me that would still say, "Hey guess, what? Eight new holes were found in IIS." The slashdot editors just don't care as much about making Microsoft seem like a good company, so they don't try to spin it that way.
      • Yes, they're telling some of the truth.

        But wasn't the trustworthy computing initiative meant to find these holes and fix them? Why are they calling this a failure? Oh, I just remembered. It's from the Register.
    • Not at all.

      The important news is that there are eight new holes, not that they're fixed. Are they fixed on all your company's instances of IIS, or are they holes?

      If it was anyone but Microsoft, it would be the same headline, remember "Open SSH Local Root Hole" http://developers.slashdot.org/article.pl?sid=02/0 3/07/1617211&mode=nested

      If it were any Free Software, it would be taken for granted that fixes would be out immedeately.
    • A site payed by advertisments from commercial software and written by a journalist copying microsoft propag... ^H^H^H^H publications:
      Microsoft fixes Eight new security holes in IIS

      Slashdot:
      Eight new security holes in IIS
    • It's the Register who is orignially to blame. Their assertions often border on ludicrous.

      But I do wonder why Slashdot doesn't do a little rational thinking before they post stories from the Register.

  • Mmmmm 8 holes... (Score:1, Funny)

    by Anonymous Coward
    It's an IIS gangbang!

  • trustworthy computing fails again? (Score:3, Insightful)

    by mikemulvaney ( 24879 ) on Thursday April 11, 2002 @11:08PM (#3327677)
    It seems to me that the Trustworthy Computing campaign is succeeding. They found 8 new bugs, and fixed them (well, they didn't find all 8, but they did find some of them...).

    Yes, it would be better if they didn't have any bugs in the first place, and yes, it would be a lot better if they would announce the bugs before they had the patches ready, but you can't say that the months of code review failed after they actually found something.

    I would be a lot more worried if they didn't find any bugs...

    -Mike

  • it's actually 10... (Score:4, Informative)

    by seigniory ( 89942 ) <<bigfriggin> <at> <me.com>> on Thursday April 11, 2002 @11:12PM (#3327695)
    http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-018.asp [microsoft.com]

    Impact of vulnerability: Ten new vulnerabilities, the most serious of which could enable code of an attacker's choice to be run on a server.

    What's wrong with the /. hype machine these days? First it takes 2 days to post the news, then they understate the scope of the problems.

    • Re:it's actually 10... (Score:3, Insightful)

      by Dr. Tom ( 23206 )
      Yeah, when the announcement first came out they rejected it because it was evidence that MS is delivering on the promises they made. Now, two days later, late at night, it slipped in accidentally as an MS bashing article. Duh.

      They should be applauding MS for biting the bullet and announcing these flaws. MS could have kept them secret, you know. This sort of press will only hurt the chances of more companies being more open with their security issues.

      Shame, shame..

    • why is this in developers when it should be on the front page ? tim stop with the crack already ;)

  • Failure, or success? (Score:4, Insightful)

    by tswinzig ( 210999 ) on Thursday April 11, 2002 @11:18PM (#3327721) Journal
    This can be spun many ways. Could it be that Microsoft found these ten flaws thanks to their month of heavy code checking in February, and are working on fixes for them?

    I mean, why is it a failure to find flaws and fix them? If you're trying to get trustworthy computing, seems like it's a failure if you don't fix any flaws.
  • You idiots, these bugs were found BY the Trustworth Computing campaign. MS just spent two months doing a code review and this is the RESULT.

    This is either just self-serving MS bashing on the part of the editors, or is just another stupid cock-up.

    Similarly, the rumor is that Hailstorm was put on the chopping block partly because of unresolvable security issues (though that's not the public story).

    All of this is evidence that they are finally getting their house in order.

    • All of this is evidence that they are finally getting their house in order.

      You admit that microsoft's house was out of order. And by using the word "getting" you imply that they are not there yet. All while the alternative's houses are in order...

      So why bother with IIS?

    • Re:MS found these bugs first! (Score:1, Informative)

      by Anonymous Coward
      Since when are @stake and eEye part of Microsoft?

    • Microsoft did not find (at least some of) these holes. Did you follow any of the links in the original post??? Going to Microsoft Security Bulletin MS02-18 [microsoft.com], we find the following:

      Acknowledgments

      Microsoft thanks the following people for reporting this issue to us and working with us to protect customers:

      Below that you see a list of people and organizations who reported holes.

      • I suggest you go back and read it. Yes, some of the fixes were found by third parties, but the rest were infact found by MS. Whether this is because of the security review or because they were looking at the code to fix the 3rd party found bugs, and stumbled accross them, we dont know. I dont think we have seen the result of the security review yet.

        The win2k codereview is happening at a slightly differnt pace compared to windows.net.
  • Or are you suggesting that if you don't find the security holes, that they aren't there?

  • I mean, IIS has such a grand history of security lapses that 8 more are probably only a few percent more. It hardly seems newsworthy it's become so common.

    I suppose, though, it's important that people know about flaws in the products they buy.

    But I have to shake my head at any outfit that still uses IIS if they have important company information at stake anywhere near the web server.

    With Apache 2 out of beta the same week as these IIS vulnerabilities, there's a doubly good excuse to try out Apache. Since it's free and open source, there's nothing holding you back except investing a little of your time.

    Go for it!

    After trying out Apache this weekend, you won't lose sleep trying to guess how many more vulnerabilities are in IIS future.

    "Eight less than before" is cold comfort.

  • If IIS 6 is not vulnerable, wouldn't that mean Microsoft's initiative is working?

Slashdot Top Deals

Per buck you get more computing action with the small computer. -- R.W. Hamming

Close