I'm sorry guys, but this is a much more basic problem then whether or not
IIS version da-da-da has an exploit.
I goes back to the design and verification process. It's not like Microsoft
didn't know that IIS would be used on an open (unsecured) network. And it
certainly is no secret that hackers exploit buffer overflows as a result of
inadequate bounds checking. So, why didn't Microsoft apply good security
practices in the design and verification of the IIS product?
There are probably several good answers to this question. Time to market
would be a big one. Microsoft completely misjudged the Internet market and
how they are playing catch up. Testing and verification is a very time
consuming process and from a marketing standpoint it is far better to get
people using your product then to spent time testing it. Besides, the
methodology Microsoft uses for developing software makes it inordinately
difficult to verify the source code.
After all Microsoft can always fall back on their licensing agreement, which
absolves them of any liability if flaws in their products cause your company
undue embarrassment or financial loss. It's a win-win situation for
Microsoft.
Unfortunate, at least in this case, it's a lose-lose for the thousands of
companies using IIS. Of which I am one.
NOT! ;-]
> -----Original Message-----
> From: Jason Axley [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, June 21, 1999 8:30 AM
> To: Brian Steele
> Cc: [EMAIL PROTECTED]
> Subject: Re: Why not NT?
>
> On Sun, 20 Jun 1999, Brian Steele wrote:
>
> > Date: Sun, 20 Jun 1999 00:23:29 -0400
> > From: Brian Steele <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Re: Why not NT?
> >
> > Sigh. More FUD.
> >
> > 1. There are 1.5 million sites running IIS
> >
> > 2. Only a portion of these are running IIS4 (from the
> > NT Option Pack)
> >
> > 3. Only a portion of (2) have left the password-changing app
> > enabled.
> >
> > 4. You certainly shouldn't see the password-changing app
> > enabled on an NT box being used as a firewall.
>
> 5. 100% of sites running IIS are running it as SYSTEM. *cough*
>
> >
> >
> > The attack in question is a buffer overflow attack exploit IIS, a patch
> for
> > which is already available from MS.
>
> ...and not a minute too soon! ...and only once the exploit was
> posted... :-) What other security easter eggs are waiting to be found and
> exploited _as SYSTEM_?!
>
> > IIS is not an essential part of NT, but
> > is provided with the NT package free of charge.
>
> I would think that 5. is a *really* good reason to pay money for a
> different web server... "But this goes to 11..."
>
> >
> > If you're using a buffer overflow exploit against an app as basis for
> not
> > using NT, then no-one should be using any UNIX-based OS - see Rootshell
> or
> > any other halfway-decent hacker's site for more info ;-).
>
> Yes. The app != the OS. Of course, MS is rapidly hooking apps into the
> OS that this is becoming obsolete reasoning.
>
> >
> > Brian Steele
> >
> > -----Original Message-----
> > From: Bill Stackpole <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > Date: Saturday, 19 June, 1999 11:51 PM
> > Subject: RE: Why not NT?
> >
> >
> > I heard on the news this morning that there are 1.5 million web sites
> using
> > IIS that are subject to hacking by a tool readily available on the
> Internet.
> > I think that should end the discussion.
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
> AT&T Wireless Services
> IT Security
> UNIX Security Operations Specialist
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
