> From: Jason Axley [mailto:[EMAIL PROTECTED]]
>
> On Wed, 9 Jun 1999, John Wiltshire wrote:
>
> > Date: Wed, 9 Jun 1999 16:43:58 +1000
> > From: John Wiltshire <[EMAIL PROTECTED]>
> > To: "Firewalls (E-mail)" <[EMAIL PROTECTED]>
> > Subject: RE: Why not NT?
> >
>
> [snip]
> >
> > As for Microsoft's track record with dealing with NT
> security issues, hop
> > over to the NTBugtraq archives and I think you'll see that
> several Microsoft
> > people live there monitoring and helping out with the
> issues - at least as
> > much as I've seen from other vendors on their respective lists.
> >
> > Regards,
> >
> > John Wiltshire
>
> So, this must not be counting Microsoft's latest SNAFU with the IIS
> problem discovered by eEye. Case in point: eEye notified
> Microsoft on
> the 8th of this _very serious_ bug and Microsoft chose not to
> warn their
> customers and at least give a workaround (i.e. disable .htr)
> so eEye had
> to release this information--and did so on the 15th--a week
> later! Do you
> really think this is adequate, especially given the serious
> nature of the
> flaw? eEye even had problems getting responses from Microsoft while
> waiting for them to fix it. I think it's time to remove your
> blinders.
>
> How many freakin' days does it take to provide even a
> temporary workaround
> (which eEye provided themselves) that, for example, limits
> the URL length
> to 255 chars? MS has the source--just add in this check, release the
> temporary fix, continue working on the permanent fix--saving
> hundreds of
> thousands of servers from being exploited in the meantime.
Ok. It took them 7 days to release an advisory. All I can say is that I'm
glad I'm not running with someone like Sun who have *yet* to acknowledge
(according to their website) that a buffer overrun exists in libc!!! Look
at the bugtraq archives - this one has been out at least a month!
To quote from a Sun support engineer "We tend to be cautious about
publishing our security bugs". What sort of attitude is this? Give me
Microsoft any day.
> Oh, food for thought: If MS is now so security conscious,
> why does their
> *web server* _still_ run as SYSTEM... This is security 101 and I give
> them an F. The flaw in IIS would have not been as
> devastating (run any
> code you want _as SYSTEM_ on the remote host...)
The web server runs as system. The processes which service the web requests
(you do have them running in separate processes if you are that worried,
don't you?) run as the user which connected via the web. Still, I guess it
rates up there with an operating system which allows superusers to
arbitrarily assign their user id without a password. ;-)
Regards,
John Wiltshire
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
