There is no way in the world I believe this c.r.a.p.
Microsoft is the bestest software developing company in the world. Take for insance it's Intertwined Exploiter. jus kidding
I read this story elsewhere yesterday & Microsoft denied the exploit. Quick turn-a-round on this one.
Microsoft warns of new server vulnerability
Summary
Microsoft said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS).
Topics
A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late on Monday.
In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."
The company said that a flaw exists in a certain type of web-serving operation.
"An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests," Microsoft said. "An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."
Microsoft said it is not aware of attacks using the vulnerability. The company said it may provide an update as part of its monthly Patch Tuesday or, depending on the severity, could provide a fix outside its monthly patching schedule.
In the meantime, the company listed on its website certain configuration settings that can help mitigate the impact of the flaw.
This article was originally posted on CNET News.
Just In
Where did the OP mentioned Apache?
^o^
^o^
download a virus onto my computer. I was surprised that it was Apache based running on Linux.
Cannot they take a lesson from Microsoft and make their software more secure?
Cannot they take a lesson from Microsoft and make their software more secure?
Very few actual vulneralities are found in any of the products. I would wager a bet that 99.999% of successful attacks from the latest years were through the application layer or a misconfiguration.
My response was to be of Intellihence's post
(Where only Microsoft software has problems, everyone else's is 100 percent perfect) but I pressed the wrong button, replied to Story, not Message.
But that was my point: there is nothing perfect, and many problems will be found with all software over time.
(Where only Microsoft software has problems, everyone else's is 100 percent perfect) but I pressed the wrong button, replied to Story, not Message.
But that was my point: there is nothing perfect, and many problems will be found with all software over time.
"...(Where only Microsoft software has problems, everyone else's is 100 percent perfect )
...
But that was my point: there is nothing perfect ,..."
You build up a straw man only to knock him down, eh?
^o^
...
But that was my point: there is nothing perfect ,..."
You build up a straw man only to knock him down, eh?
^o^
IIS7 (distributed with Server 2008) is not affected.
IIS6 (distributed with Server 2003) is not affected in its default configuration. It is only affected if WebDa has been installedand configured.
The vulnerability allows the attacker to bypass security mechanisms and access otherwise protected resources as anonymous user. As this uer by default does not have write access the attacker will not be able to write files on the server, unless the admin has granted rights to anonymous (which would be really stupid).
It is unclear if the attacker can execute e.g. aspx pages or merely read files.
In the first case it could be really bad for a lot of sites, as pages typically do allow users to change something.
In the latter case the attacker may be able to snoop on configuration files. Which may also be bad if he can learn SQL server passwords etc. that way (ASP.NET allows the "connection string" section to be encrypted as a production best practice which would mitigate this).
IIS6 (distributed with Server 2003) is not affected in its default configuration. It is only affected if WebDa has been installedand configured.
The vulnerability allows the attacker to bypass security mechanisms and access otherwise protected resources as anonymous user. As this uer by default does not have write access the attacker will not be able to write files on the server, unless the admin has granted rights to anonymous (which would be really stupid).
It is unclear if the attacker can execute e.g. aspx pages or merely read files.
In the first case it could be really bad for a lot of sites, as pages typically do allow users to change something.
In the latter case the attacker may be able to snoop on configuration files. Which may also be bad if he can learn SQL server passwords etc. that way (ASP.NET allows the "connection string" section to be encrypted as a production best practice which would mitigate this).
Instead of dealing with the issue they ignore the problem while trying to direct criticism onto others.
the only thing Microsoft hasn't done is issue a patch. Which they are developing and TESTING now.
This issue doesn't effect default installations of IIS, and unless anonymous has write access the issue is mute anyway.
try enabling anonymous write access on any internet application and see what happens.
Idiot.
This issue doesn't effect default installations of IIS, and unless anonymous has write access the issue is mute anyway.
try enabling anonymous write access on any internet application and see what happens.
Idiot.
I'd be the first to knock M$ if this was anything important to scorn. But it's just a patch and letting people know is a good thing. If we're going to criticize something from M$, we have to at least sound level headed and impartial.
(Even if they are a bunch of doo-doo heads!)
(Even if they are a bunch of doo-doo heads!)
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
