Microsoft confirms major hole in IIs

Forum Moderators: open

Message Too Old, No Replies

Microsoft confirms major hole in IIs

Brace Yourself

Brett_Tabke

4:46 pm on Jun 13, 2002 (gmt 0)

[wired.com...]

The latest vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site. Despite the anticipated difficulty for hackers, the flaw was considered unusually threatening because it is closely related to a similar Internet server glitch disclosed by Microsoft on April 10.
Experts believe hackers already have been distributing customized attack tools to exploit the April 10 flaw, and they fear these underground tools could be updated readily to attack computers susceptible to the latest glitch.

Nick_W

4:55 pm on Jun 13, 2002 (gmt 0)

Well I never. A security hole?

The best advice for this kind of problem would be to get a real web server ;)

Nick

pageoneresults

4:59 pm on Jun 13, 2002 (gmt 0)

I think Brett has a secret desire to rid the Internet of MS products. Just think of all the security holes they don't tell us about!

Macguru

5:00 pm on Jun 13, 2002 (gmt 0)

Nick_W,

No one is immuned from such damages, whathever the OS of servers. The latest code red and nimda extavagenza costed us hundreds of hours cleaning up logfiles from different hosts all on *nix servers. This is serious.

littleman

5:21 pm on Jun 13, 2002 (gmt 0)

Microsoft should just break down and release the IIS source.

Xoc

6:32 pm on Jun 13, 2002 (gmt 0)

Wouldn't do any good unless they also released the Windows source. More than half of IIS has got to be calls into Windows.

Nick_W

6:42 pm on Jun 13, 2002 (gmt 0)

No one is immuned from such damages

Very true. There's a pale, sickly kid with a fat mother who baby's him too much in every class though. ;)

Nick

johnhamman

2:37 am on Jun 14, 2002 (gmt 0)

does anyone have a link to this patch from MS?
john

Xoc

10:40 pm on Jun 14, 2002 (gmt 0)

To patch IIS and Windows, the first thing to do is to hit the [windowsupdate.com...] site and download every patch. Then download the hfnetcheck [support.microsoft.com] utility from Microsoft.

Run it from a command line. It will tell you what patches you have yet to install to make your site secure. Go to the Microsoft web site and search for the Q numbers that it lists for patches to find the patch to install. It will tell you about this and every other patch that Microsoft has available.

EliteWeb

10:52 pm on Jun 14, 2002 (gmt 0)

Why all this trouble with being insecure? Why would you utilize a product that has more problems with it than anything? There are dozens of other services which require less server-side attention. hheheh personally i dislike IIS, the features of it and have seen many better solutions. However my solutions stray away from the oserating sysrer all together.

I think MS just wants to make you go back to their sites, see banners, have stuff installed all the time and have one of the most visited sites on the web by forcing people to :)~