Eight new IIS security holes exposed

lokem · Apr 11, 2002

Just noticed this rather "painful" news on The Register:

Eight new IIS security holes exposed
By Thomas C Greene in Washington
Posted: 11/04/2002 at 00:13 GMT

http://www.theregister.co.uk/content/4/24795.html

There are eight new security stuff-ups affecting various editions of Microsoft IIS (Internet Information Server), the most serious of which will enable an attacker to take over the system, MS revealed today.

If you're wondering why you haven't heard about them before, chalk it up to Trustworthy Computing, a Redmond policy which leaves everyone exposed to attack until MS is satisfied with its patches and spills the beans. We prefer to know these things as soon as possible so we can look into temporary workarounds and shutter the window of opportunity straight away, but MS is clearly opposed to that approach. (One workaround we rather like is called Apache, but we digress....)

Before we get into the gory details, we have to mention that we've received anecdotal reports that some of the MS patches have been breaking some of the machines they're installed on. So do test them before integrating them into critical systems. If you've installed one of the patches, I'd like to hear from you whether your experience was good or bad, in hopes of confirming the problem or, alternatively, putting the rumor down.

TechSpot

Eight new IIS security holes exposed

lokem Newcomer, in training