Microsoft investigating newly reported IIS flaw
Microsoft on Monday said it is looking into a report of a flaw in some versions of its Internet Information Services product that could allow an attacker to gain control of a system.
In a statement, a Microsoft representative said the company "is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP)."
Microsoft said it is not aware of any attacks using the vulnerability. "We will take steps to determine how customers can protect themselves, should we confirm the vulnerability."
According to IDG News Service, code for exploiting the unpatched flaw was posted to the Milw0rm Web site. IDG said the exploit appears to affect primarily older versions of IIS--and only when the FTP function is enabled.
Once it is done with its investigation, Microsoft said, it will decide how to address the matter, which could include a security update as part of its monthly Patch Tuesday or an out-of-cycle update.
In a posting on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) suggested IT administrators "disable anonymous write access to the FTP server to help mitigate the vulnerability" but added that "a proper impact analysis should be performed prior to taking defensive measures."
During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft. E-mail Ina. 
I'm sure people will treat your comments with all the respect and value that people have come to expect from you.
I trust MS with my security. And its security is far better than that of YOUR platform, LOL. Again, you're still comparing your platform to an eight-year-old competitor, and blaming MS for failing to address drive-by downloads when they didn't even exist in 2001!
Sorry to bust your bubble, but science trumps religion here.
Completely different from personal users that can upgrade if they feel it is safe to do so;-)
This sounds like it may have been more of a threat 5-10 years ago than today.
Thanks for the laugh.
MS servers are always the most exploited, just like their bloated desktop OS's.
@pentest:
You've been informed of this more than once. Obviously you're blocking it out in desperate attempt to preserve your faith. Sorry to bust your bubble, but science trumps religion here.
Notice that the person I was responding to said, "just like their bloated desktop OSes," insinuating that Vista is getting exploited in the wild. Considering that XP is faster out of the box than Mac OS Tiger, as well as any Linux distro that uses the KDE environment, he must have been referring to Vista. But Vista machines are not being exploited in the wild, making this claim false.
That out of the way, IIS6 or whatever the case may be, it's exploited less than half as often as Apache (almost down to 1/3 as often), while being more than half as prevalent. One could bring up the obscurity argument - which I hold to be true when talking about attacks on desktop OSes - but that's not part of this discussion. Whether IIS6 and IIS5 are less or more secure on paper isn't the issue, as both are being exploited. The issue is fiction; pentest claims that Microsoft's server and desktop platforms are exploited more than anything else. Q.E.D., both claims are fictitious. And fiction belongs elsewhere; CNET is a technology Web site.
Don't bother to reply with any flaming rhetoric either, this will be my only post on this article as I don't own enough Windows computers (just one) to legitimately complain about anything.
>>>>Oh, really? How about citing your sources? From what I recall, ALL THREE security researchers said (and continue to say) that Windows is not only more difficult to hack, but FAR more difficult to hack. Miller has said two years in a row that, in the time it takes to create ONE working exploit for Windows Vista, one can create 5-10 for OS X. He specifically said the reason he went after the Mac was because "it was the easiest of the three." He said, "We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X:" http://www.infoworld.com/d/mobilize/mac-easiest-hack-says-10000-winner-728
'This recent turn of tides has prompted me to change a few security measures on my Mac network, as I suspect that the recent security upgrades by Apple are going to give birht to a new generation of hackers who are going to go to great lengths to disprove it's stability. In the wild... Windows still holds the top spot for vulnerability, which is why Apple isn't concerned with market share as much as they are putting out a stable, dependable, functionally complete product.'
>>>>Again, sources, please. Empty assertions don't impress me.
'Don't bother to reply with any flaming rhetoric either, this will be my only post on this article as I don't own enough Windows computers (just one) to legitimately complain about anything.'
>>>>Good cop-out, but there's no need for rhetoric, and I don't flame, either. The only empty rhetoric here was yours; my whole business here is countering rhetoric with fact, which is why I can back myself up with evidence and you can't. And unless you can provide some, your mistake here will find you walking in my shadow from this point forward. Once again, science trumps religion here.
I am the grandson of a retired, former employee of LMMSC (formerly LMSC) who worked on the Hubble Space Telescope; as well as a PC service technician and aspiring network engineer in my own right. I am a theistic evolutionist (and neither deistic nor anthropomorphic) who cannot and will not subscribe to any doctrine without sound bases in science, archaeology, and reference from multiple sources. I have been taught to ask all questions and believe no answers. I am not infallible, but strive to be as close to it as humanly possible. And as far as security is concerned, that's closer than any Mac fanboy will get.
In response to what you had intended as a pivotal point, allow me to quote the two winners from Pwn2Own 2009, including "Nils," the aliased German hacker who compromised both Windows 7 beta and OS X Leopard in 2009. The 2009 Pwn2Own competition took place in March, before Windows 7 added Safe Unlinking. This is the most recent source I can quote, while assuming that Windows has in fact grown stronger since, due to the addition of new mitigations...
'Both the Firefox and Safari vulnerabilities that he proved were exploited on a Mac OS X system. The German hacker said the latest versions of both Firefox and IE take full advantage of features built in to Windows Vista that make it far more difficult to reliably exploit than on the current version of OS X. Those features, including "data execution prevention" (DEP) and "address space layout randomization," (ASLR) don't appear to be properly implemented between OS X and versions of Safari and Firefox built for that operating system, Nils said.
'"It's quite easy to write an exploit for Firefox on OS X compared to Firefox on Vista," he said.
'Attackers usually craft exploits so that they write data or programs to very specific, static sections in the operating system's memory, but ASLR counters that approach by constantly moving those points to different positions. DEP makes it so that even if the attacker succeeds in guessing the location of the memory location point they're seeking, the code placed there will not execute or run.
'While few cyber crooks are attacking Mac users through Safari and Firefox at the moment, that may change soon if a large number of Windows users migrate to Windows 7, the successor to Windows Vista, due to be released sometime later this year.
'"It's getting pretty hard to do a lot of this stuff on Windows Vista and Windows 7," Nils said. "Especially when a lot of people who stayed with [Windows XP] switch to Windows 7 because they didn't want Vista, the bad guys may start to figure out they can more easily exploit these bugs more reliably on a Mac."'
'Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators, also won a Macbook and $5,000, for developing an exploit for a previously unknown critical flaw in Safari on Mac OS X.
'"Mac OS X has some ASLR but not much, and there is no DEP in OS X," Miller said. "My exploit relied on exploit code being in a certain spot, and that it would [execute], and in Vista neither of those things would have happened."'
http://voices.washingtonpost.com/securityfix/2009/03/mac_os_x_top_target_in_browser.html
Have a nice day! :D
- by pierregau November 4, 2009 10:52 PM PST
- Microsoft dominates the Web server market (on Windows) because it jumped into the Windows kernel (while others have to cope with the Windows user-mode bloat), see:
- Like this Reply to this comment
-
(22 Comments)http://trustleap.ch/
Now, for the first time, a user-mode Web not only server beats IIS in the kernel but also beats ASP.Net by offereing portable ANSI C scripts that are 5x faster than C#!
Bonus 1: TrustLeap has been under constant attacks since it was shipped 4 months ago -and no vulnerability was found.
Bonus 2: TrustLeap will ship Linux and Solaris versions by the end of year 2009.